Text only | Text with Images

coppermine-gallery.com/forum

Support => cpg1.4.x Support => Older/other versions => cpg1.4 upgrading => Topic started by: LACA Rio on July 19, 2006, 09:11:09 PM

Title: Hacker on my Gallery part 2
Post by: LACA Rio on July 19, 2006, 09:11:09 PM
Hi guys,

I upgrade my gallery from 1.3.5 to 1.4.8 because some files were uploaded by a hacker in my albums/userpics/1001 folder.
This files were used to make phishing (in this case a Chase bank).
Today, when I check the files using a FTP program, I found another very suspect file (sanyo.php.rar) in the same folder.
I deleted the file and changed my password again but I can't change the chmod properties that is 777.
Thanks for any help. 
Title: Re: Hacker on my Gallery part 2
Post by: Joachim Müller on July 20, 2006, 06:19:59 AM
The upgrade doesn't cure infected webspace, it only keeps your gallery from getting infected in the first place. As your initial reason for upgrading was an infection, you'll have to cure your webspace first by scanning for leftover dangerous files and subsequent backdoors the attacker may have left.
Title: Re: Hacker on my Gallery part 2
Post by: LACA Rio on July 20, 2006, 03:02:28 PM
As a webmaster, I did it and the server that hosting all my websites too.
That rar file was uploaded before the upgrade. The folder has very dangerous CHMOD 777.
If you want to check the malicious script, I can send you the file (sanyo.php.rar). I'm afraid to open it.
Title: Re: Hacker on my Gallery part 2
Post by: Joachim Müller on July 20, 2006, 10:13:47 PM
Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
That rar file was uploaded before the upgrade.
There you go: as it has been uploaded before the upgrade, you should have deleted it before doing anything else.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
The folder has very dangerous CHMOD 777.
Not dangerous if your webserver is set up properly. Read http://www.simplemachines.org/community/index.php?topic=2987.0 for details.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
I'm afraid to open it.
There's no need to be afraid: download it to your client (using your FTP app). Then open it in a plain text editor (notepad.exe is fine). However: you'll only need to do this if you're curious, it won't help you in solving any infection-related issues that you might have.

For security reasons, ask your webhost to configure your apache webserver to do something with .rar files. Refer to the announcement thread Coppermine-driven galleries hit by RAR exploit (http://forum.coppermine-gallery.net/index.php?topic=31534.0) what the setup needs to be.
Title: Re: Hacker on my Gallery part 2
Post by: LACA Rio on July 22, 2006, 06:08:17 PM
You were right.  I uploaded a test "php.rar" and after run it, I can read "Oops, my webserver is vulnerable" in my browser. I sent these post to my webhoster and leave empty instead of "ALL" in "Allowed document types" field at the config settings.
Title: Re: Hacker on my Gallery part 2
Post by: Joachim Müller on July 22, 2006, 08:40:47 PM
Read the entire thread I refered to.
Text only | Text with Images