I think my site was hacked through coppermine I think my site was hacked through coppermine
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

I think my site was hacked through coppermine

Started by beddows, June 18, 2008, 08:17:19 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

beddows

All the index.htm's, etc on all the websites on my server (there are a lot) had malicious javascript inserted which re-routed them to Russian & Turkish sites. I found this index.php sitting in my albums directory in coppermine: (1.4.17). I am currently deleting coppermine in its entirety & uploading 1.4.18 instead. I changed all my FTP & database passwords just in case & uploaded files from my PC to overwrite the infected ones. A big pain. Here is the code I found in coppermine:



<html>
<head>
<title>Hacked by TheWayEnd 1923Turk DaDaSLaR</title>

</head>
<style>
<!--
body { scrollbar-face-color: #000000; scrollbar-shadow-color: #CC0000; scrollbar-highlight-color: #CC0000; scrollbar-3dlight-color: #000000; scrollbar-darkshadow-color: #000000; scrollbar-track-color: #000000; scrollbar-arrow-color: #ffffff }
-->
</style>
<body background="http://i5.piczo.com/view/1/j/9/q/4/k/0/0/y/t/k/9/img/i83784551_80817.gif">
</body>

<!--

if (document.all&&!window.print){
leftright.style.width=document.body.clientWidth-2
topdown.style.height=document.body.clientHeight-2
}
else if (document.layers){
document.leftright.clip.width=window.innerWidth
document.leftright.clip.height=1
document.topdown.clip.width=1
document.topdown.clip.height=window.innerHeight
}

function followmouse1(){
leftright.style.pixelTop=document.body.scrollTop+event.clientY+1
topdown.style.pixelTop=document.body.scrollTop
if (event.clientX<document.body.clientWidth-2)
topdown.style.pixelLeft=document.body.scrollLeft+event.clientX+1
else
topdown.style.pixelLeft=document.body.clientWidth-2
}

function followmouse2(e){
//move cross engine for NS 4+
document.leftright.top=e.y+1
document.topdown.top=pageYOffset
document.topdown.left=e.x+1
}

if (document.all)
document.onmousemove=followmouse1
else if (document.layers){
window.captureEvents(Event.MOUSEMOVE)
window.onmousemove=followmouse2
}

function regenerate(){
window.location.reload()
}
function regenerate2(){
setTimeout("window.onresize=regenerate",400)
}
if ((document.all&&!window.print)||document.layers)

window.onload=regenerate2

//-->
</script>
<script language="JavaScript">
function ambos(e) {
if (navigator.appName == 'Netscape' && (e.which == 1 || e.which == 3 || e.which == 2)){
alert('Los botones del mouse han sido inhabilitados')
return false;
}
else if (navigator.appName == 'Microsoft Internet Explorer' && (event.button == 2 ||
event.button == 2)){
alert('[! By_AD!GE !]')
}
}
document.onmousedown=ambos</script>

<bgsound src=dht.mid loop=infinite>
<body bgcolor=black>
<script language="Javascript1.2">
<!--
var mymessage = "1923TURK-GRUP";
function rtclickcheck(keyp){
if (navigator.appName == "Netscape" && keyp.which == 3) {
alert(mymessage);
return false;
}

if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) {
alert(mymessage);
return false;
}
}

document.onmousedown = rtclickcheck
//-->
</script>
<center><b><br>
<img src="http://adiqe.funpic.org/resimler/hack.png"><br>

<font face="Courier New" size="5px" color="#d50000">BiZ OSMANLI Torunu TURKIYE Cumhuriyeti Evladiyiz</font><br>
<img border="0" src="http://img100.imageshack.us/img100/6844/turaas3.gif" width="500" height="422"><br>

<font face="Courier New" size="6px" color="#d50000">NE MUTLU TURK'UM DiYENE</font><br><br>

<P>


<FONT color=white>
</FONT></FONT><P>
<P>



<FONT color=white>
</FONT></FONT><P>
<P>




<p>


<p>





<script language="javascript" src="/mynet_sistem/hostingad.js"></script><script language="javascript" src="http://mysite.mynet.com/common/hostingad_1.js"></script>

<br><br>

<center><EMBED
style="BORDER-RIGHT: #0b78ff 1px solid; BORDER-TOP: #0b78ff 1px solid; FILTER: xray; BORDER-LEFT: #0b78ff 1px solid; BORDER-BOTTOM: #0b78ff 1px solid; BACKGROUND-COLOR: #0b78ff"
src=http://www.elnino.gen.tr/depo/ELNINO&JETAYDIN-KALBINI-KIRARIM.mp3 width=0 height=0 type=audio/x-ms-wma>
</TD></TR></center>


<div id="leftright" style="width:expression(document.body.clientWidth-2)"></div>
<div id="topdown" style="height:expression(document.body.clientHeight-2)"></div>

Hein Traag

Read this: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

1.4.17 did have a security flaw in it but that does not automaticly mean your site got hacked through cpg. Could just as easily have been through a dodgy server setup etc etc. Read that thread and indeed upgrade to 1.4.18.