PHP Bulk Emailer in my userpic directory PHP Bulk Emailer in my userpic directory
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

PHP Bulk Emailer in my userpic directory

Started by Kursk, December 25, 2006, 04:15:27 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Kursk

Got notified today that my account was suspended. After some investigation, it happens that someone had upload a PHP bulk e-mailer into my userpic directory and started sending out ebay phishing scam.

PHP Bulk Emailer
From NukedWeb
http://www.nukedweb.com/
tim@nukedweb.com

How this happened I still can't figure out.
Any thoughts (besides the fact that it is an old cpg 1.3.1)?

Tarique Sani

Quote from: Kursk on December 25, 2006, 04:15:27 AM
Any thoughts (besides the fact that it is an old cpg 1.3.1)?
None needed what so ever :)
SANIsoft PHP applications for E Biz

Kursk

Quote from: Tarique Sani on December 25, 2006, 09:53:50 AM
None needed what so ever :)
Thanks. I take it to mean once it's updated to cpg1.4.10 (which I did last night) I don't need to be worried anymore?

Joachim Müller

Check for existing backdoors. Upgrading doesn't remove existing backdoors, it just protects you from falling victim to new ones.

Kursk

#4
albums/userpics is the only directory I was able to find that contained a php mailer. Any other possible locations?

Joachim Müller

If the attacker managed to place any PHP script on your server he might have infected your entire webspace. Therefor, possible locations are: the entire webspace.
Please keep in mind that cpg1.3.x goes unsupported. Your issue comes from failing to upgrade in time (while there still was support).

Kursk

I see your point. CPG has been updated to 1.4.10 as soon as I've discovered the hole. The rest of the webspace  besides CPG is the latest Joomla! release (no bridge.)

Userpics seems logical at it allows for a user upload. My fault not keeping up-to-date on the CPG and doing something that allowed for the upload of files other than what should have been uploaded. My question was more along the lines of any similarity to userpics apparent vulnerability (in my case of course, as I'm not generalizing here.)

Stramm

as already said... if an attacker was able to upload a malicious script, then he's able to place it everywhere in your webspace. He can use this script to load other scripts ... do not only search in the albums dir.

Joachim Müller

This is what you need to do: download all files that reside on your webspace to a folder on your hard-drive. Then use a diff viewer like WinMerge to compare all files, making sure that all code files do not differ between the forensic backup folder you just downloaded and the original sources you uploaded in the the first place. Using the diff viewer, make sure that there are no surplus executable scripts on the forensic backup folder.

Kursk