[Closed]: Helping each other with problems resulting from cdpuvbhfzz hacking? - Page 2 [Closed]: Helping each other with problems resulting from cdpuvbhfzz hacking? - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Closed]: Helping each other with problems resulting from cdpuvbhfzz hacking?

Started by marian, April 11, 2008, 10:56:15 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Llama8668

I've been hacked yet again despite upgrading to 4.1.7 and attempting to clean everything up. Anyone have any advice as to how they're still getting in (will it be that there are files still left in the upload/albums which are being used) as thing is getting ridiculous  >:(.

marian

Quote from: Llama8668 on April 12, 2008, 03:18:08 PM
I've been hacked yet again despite upgrading to 4.1.7 and attempting to clean everything up. Anyone have any advice as to how they're still getting in (will it be that there are files still left in the upload/albums which are being used) as thing is getting ridiculous  >:(.
I had my doubts about this being over, once we were hacked AFTER our only URI upload was disabled. Bad, bad scene.

Joachim Müller

No. Jpeg files can't be infected anyway, as Abbas already explained.

marian

Quote from: Joachim Müller on April 12, 2008, 05:02:00 PM
No. Jpeg files can't be infected anyway, as Abbas already explained.
I dont know if this is relevant but given the hackings after upgrades I thought I would mention it.
Someone has suggested to me that it could be that coppermine will accept a file as long as it contains jpg or other acceptable file format. So a file named PIC.jpg.php with malicious code would be accepted. Don't know if he is right and cant test as we have disabled gallery.

Joachim Müller

Upgrading will not clean your site once it is infected. The attacker left a backdoor, you have to thoroughly sanitize your site - you can not just perform the upgrade and think that everything is dandy.

Llama8668

Would preventing the upload of zips (forbid it in the accepted types options in the config section) help at all?

For one of the two sites which went down again the offending files were re uploaded again (after the upgrade to 4.1.7).

For the other I couldn't see the files present. It appears to have been hacked again though making it twice today.

To a degree I think all I need is a way to battern down the hatches, specifically stop the spread outside of the coppermine gallery (if it's just the addition of code they're doing I'm happy to keep re uploading the gallery files, it just becomes a big chore when it's spread to other files like forums and normal site php files).

The suggestion solution seems to be a PHP.ini file (specifically the open_basedir setting). I've tried to add that to the root of the gallery, however it spits out errors as the includes appear to fail with open_basedir set to off. I'm I just doing it wrong (should it perhaps be added to just the upload albums?) or is there some otherway of blocking the mass rewrite of an entire sites files?


sharpo

Just noticed mine has been infected again.

Checked all the files in album folder for any uploads other than mine, there were none, checked the index files in those folders for the iframe code, then deleted everything else before uploading 1.4.17.

Perhaps it happened because I had not finished upgrading the other galleries in my web space.
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

Joachim Müller

This thread is not what you intended it to be. You don't help each other, obviously because you can't. You're posting panic-postings only. This thread is invalid and should never have been started. I deliberatly told you on the other thread that your "me too" reports won't help and threatened everyone to ban if the posting of invalid replies continues. Marian thought that he could circumvent the ban by starting another thread that deals with the very same issue. This is not the case. Thread locked.