[Solved]: Is someone trying to hack my site? [Solved]: Is someone trying to hack my site?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Solved]: Is someone trying to hack my site?

Started by kali, April 07, 2008, 12:16:29 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

kali

Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:


"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)


I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?


Nibbler

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

slausen

Quote from: kali on April 07, 2008, 12:16:29 AM
Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:


"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)


I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?



Wow.

Does pluginmgr.php allow uploads from non-Admin users? Is that behavior intentional? If so, that would seem to be a major security hole. I was just about to start an upgrade to the current version to take advantage of all the security fixes, and then I see your post...

Nibbler


slausen

Quote from: Nibbler on April 07, 2008, 12:44:34 AM
It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Great, thanks.

kali

Quote from: Nibbler on April 07, 2008, 12:44:34 AM
It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Thank you for your reply. I'm usually not too worried about this sort of thing, however, the 'receive' folder as saying it was modified at exactly the same time (although there was nothing in it) which is what caused the alarm bells to ring.