Hi guys, First I've got to say that Coppermine 1.3.3 is awesome - a lot of work and well appreciated.
I've been using it for about 4 weeks without a problem - but about 5 days ago it was compromised in some way.
There any multiple problems from registered users being unable to set up new albums or upload files, to at worst - all users deleted along with their albums, images and database records.
My hosting Company says I am the sixth client who has complained of this problem in the last 10 days - but have scanned their systems and claim that the system is clear.
I've tried installing a new incidence of 1.3.3 in a new directory with a new database - but after getting a new user on - everything got deleted when I tried to use the admin account...
Any bright ideas anyone? Your help is appreciated
Just to eliminate other factors, have you changed your webhost and gallery account passwords in case that is how the attacks are occurring?
Thanks TranzNDance - That's what I thought of first. Changed account access info then put up a new installation of 1.3.3 with different access info - but the problems were still there despite the "clean" system
What other PHP apps are installed on the server?
Hi Kegobeer - now that sounds ike a good idea right now...
So far as I can tell, here is a complete list of php apps running on this server:
Fantastico. CpanelX.
Blogs: b2evolution, Nucleus, pMachine Free, WordPress
Content Management: Drupal, Geeklog, Mambo Open Source, PHP-Nuke, phpWCMS, phpWebSite, Post-Nuke, Siteframe, Typo3, Xoops
Customer Relationship: Crafty Syntax Live Help, Help Center Live, osTicket, PHP Support Tickets, Support Logic Helpdesk, Support Services Manager
Discussion Boards: phpBB2, SMF
E-Commerce: CubeCart, OS Commerce, Zen Cart
F.A.Q: FAQMasterFlex
Guestbooks: ViPER Guestbook
Image Galleries: 4Images Gallery: Coppermine Photo Gallery, Gallery
Mailing Lists: PHPlist
Polls and Surveys: Advanced Poll, phpESP, PHPSurveyor
Project Management: dotProject, PHProjekt
Site Builders: Templates Express
Wiki: TikiWiki, PhpWiki
Other Scripts: Dew-NewPHPLinks, Moodle, Noahs Classifieds, Open-Realty, phpAdsNew, PHPauction, phpCOIN, phpFormGenerator, WebCalendar
In fact - not a bad list if not for the problems...
whew, what a list... Do all of the other apps still work as expected?
The only other application I've tried from the list was "Gallery". This was after the problems started - and an attempt to get around the problem.
It seems to have been affected as well, I followed the installation guidelines but couldn't set up users properly.
are you sure this isn't a database server issue? It may be that the mysql server is hosed and this has nothing to do with the webserver.
Thanks for the suggestion donnoman - never considered that might be the problem. Have contacted our Hosting Co. and am waiting for their findings.
It seems that my hosting Company are incommunicado - I've had no email response from them about the possibility that the database server may be the root of the problem - and they can't be raised on the telephone.
What doesn't seem to fit thought is that I have other handbuilt php routines running on this website that use added tables to the Coppermine database. These are all unaffected by whatever is causing the problem. What gets affected are the cpg133_albums, cpg133_pictures, cpg133_users tables plus all of the image folders in the userpics directory get emptied...
Anyone recognize the symptoms?
Are contents IN the tables when you look at them with something like phpmyadmin?
Are there files in the albums/userpics directory or do the files really go missing after they've been uploaded?
How long does it take for the entries in the db, or the filesystem to go MIA.
Do you have access to the http access logs to your site? Have you reviewed them for suspicous activity?
Hi donnoman
1) The contents were in the tables before they get deleted - not there afterwards - checked by phpadmin also by viewing exported sql data in notepad.
2) The files in userpics/albums are completely deleted - vanished without a trace
3) The files and db records go missing within seconds of any attempt to access registered user data as an admin user
4) I checked through all the logs when it happened the 1st time. All were normal users - and only accessed non-critical parts of the system.
My belief is that the contamination was lurking for some time - I hadn't used the admin panel for about 3 weeks - so it could have been any time in the interim that I was struck...
It seems strange that nobody else is reporting similar problems like this. My web hosting Company seem to have forgotten about me on this issue - that or they've left the Country.
Considering everything you've posted thus far, I'd change webhosts.
I'm curious about your last statements though.
Would you mind zipping up your entire website, and let me download it. I want to see if I can find where the code has been injected. If you want to make other arrangements PM me.
donnoman
Have sent a pm to you with details of download url.
Thanks