Phishing site in my gallery Phishing site in my gallery
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Phishing site in my gallery

Started by Naif, March 13, 2007, 04:26:02 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Naif

Hello

I've been notified that someone uploaded a phishing site in my gallery (in userpics/10001). The file in question has been deleted, and I have upgraded the software (from 1.4.9 to 1.4.10), but I'd like to know if this is enough to prevent further attacks.

Joachim Müller

How could one possibly upload a phishing site? Did your site get hacked? Post a deep link, or (if you have already removed the offending stuff) post a screenshot of the "thing" that you refered to as "phising site".

Naif

That's what I wonder... I didn't even know how my site got hacked, it's my hosting provider who warned me. This is the phishing site: http://theothersize.com/galeria/albums/userpics/10001/muie/ But they already deleted that file.

So, how may have this happened? And how can I solve it, and prevent further problems...?

Nibbler

The fact they uploaded into userpics/10001 indicates they gained access to your Coppermine admin account. Change the password and check your webspace for anything that looks suspicious.

Naif

But how could they possibly find my password? It is one that is not precisely easy to guess (very long, using letters and numbers mixed...)

Joachim Müller

There are several methods: brute force, exploits of known issues, keystroke loggers. Hard to guess, as your overall web presence is empty (nothing in http://theothersize.com/). Start from scratch. Keep your apps up-to-date. Backup-up regularly.

Naif

Oh, the web is not exactly empty but it's not available now, only the domain is currently not visible. It only contained some other scripts like a phpbb forum and a wiki, but they didn't get hacked.

Keeping this gallery updated can guarantee no further attacks?

Joachim Müller

Can going to the doctor guarantee that you're never going to become ill? There's no absolute sure things in life, nor is there such a thing as a bug-free software. Keeping your software up-to-date and applying all safety precautions you possibly could makes another attack less likely, that's all I can promise. Applies for every software in the world.
I suggest relying on brain.exe and regular-backups.exe - those are the mightiest programs in the world.

EZ

I've just been hit with the same problem! My hosting provider notified me that the gallery contains a phishing page. In my case some files (html, php, txt) were uploaded into /gallery/include/makers.

A day later I was also notified that my phpBB forum has been hacked. A spam script was uploaded to /forum/images/avatars.

At the moment I have no idea how this could have happened. I don't think my password was compromised. Of course there's no way I can be 100% sure about it, but apparently there's no other damage except for the uploaded files.

EZ.

martl

My gallery has caught a phishing website too and was shut off by the webhoster :(

Doing a google search, i found this one:
http://www.virenschutz.info/beitrag_Angriffe+auf+das+Galeriescript+Coppermine_1020.html

its german, but Gaugau should be able to understand it :)

it talks about a vulnerability of coppermine that has to do with inserting an iframe  (or so... ;))

they give the advice to shut down down the website until a patch is available... well do the devs already know about it and when can we expect a patch?

Martin

martl

 :-X pease disregard... the news message i quoted was exactly 1 year old.. all i saw was "28th of April" and so i assumed it was news... sorry for any confusion! :)

Quote from: martl on May 02, 2007, 12:35:15 PM
My gallery has caught a phishing website too and was shut off by the webhoster :(

Doing a google search, i found this one:
http://www.virenschutz.info/beitrag_Angriffe+auf+das+Galeriescript+Coppermine_1020.html

its german, but Gaugau should be able to understand it :)

it talks about a vulnerability of coppermine that has to do with inserting an iframe  (or so... ;))

they give the advice to shut down down the website until a patch is available... well do the devs already know about it and when can we expect a patch?

Martin


Joachim Müller

The site you refer to deals with the outdated and unsupported coppermine versions for nuke anyway, so the alert you refer to doesn't apply. We only and exclusively support the standalone version of coppermine, and only the most recent stable release. The site you refer to isn't very helpfull: any good bug report site that is worth mentioning should mention what version of the app they refer to their bug report applies. The site virenschutz.info fails to do so, so I wouldn't trust anything they claim. In my eyes, those are just rumors. Their report is just damaging our app's reputation but fails to improve the situation for those who have fallen victim of their wannabe-report.

martl

I agree, i also was angry about that website not giving any version numbers of the software involved, as well as the insufficient timestamp. Still i had to kick two different chatbot subdirs and a phishing site mimmicking "bank of America" out of my userpics subdirs, but it can well be that it is me to blame for running a not-too-clean installation. I will check the permissions on file level and also rethink my liberal strategy of allowing users to self-register and upload :p a pity, it ran well for a long time, but i guess the internet is a bad place to rely on trust and common sense :)

bern5

whats the solution to fix ?

just had 2 phising folders setup in 2 days in /include/  - ive changed permission to 755

also have a folder /include/makers/ - should that be there?

running  1.4.10 (stable)

thx in advance.

Joachim Müller

Quote from: bern5 on July 24, 2009, 01:03:15 AM
whats the solution to fix ?
The solution is pretty straightforward: in the future, don't be lazy - failing to perform frequent updated of any pre-written script-driven web app will result in getting hacked sooner or later. The fact that you're running
Quote from: bern5 on July 24, 2009, 01:03:15 AMrunning  1.4.10 (stable)
shows that you must have been very lazy: cpg1.4.10 has been released three years ago. The fact that you tried to hijack such an ancient thread shows your laziness as well. Anyway, sanitize as suggested in the thread Yikes, I've been hacked! Now what?. Just upgrading is not enough now that your site was hacked. Locking.