Possible new exploit Possible new exploit
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Possible new exploit

Started by simplewebs, February 19, 2009, 12:24:29 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

simplewebs

Hi,
I currently run 6 photo gallerys, and yesterday while doing updates to photos, I have seen that 4 will not open and AVG is reporting "Exploit Link to known exploit site (type 610)" This appears on all 4 sites that do not open.

I tried to upgrade this site, bikerscornerkatabeach.com/cpg1418 to 1.4.20 (the site was already at 1.4.19, I just left the original name of the folder as is). I dumped the entire site minus the albums and the 2 files stated in the install. I ran the update.php, which ran ok, and at the bottom of the page, I clicked on the link for the version check, and I get the same error as stated above.

My next course of action is to download the folder from another gallery and compare them to previous copy of 1.4.19 to see if I can locate any differences.

If any else is seeing this or has recommendations, please reply. Thank you all for your time.

Lee

simplewebs

I just opened another gallery, this was has an AVG warning also, "threat name: Exploit WebAttacker"  This site is v-twintours.com

Lee

simplewebs

I am using winmerge right now to compare all the files minus the albums dir from one gallery that is version 1.4.19 and comparing the files to a copy of 1.4.19 to see what is different between the two, I'll work on the update later.

the gallery file /include/init.inc.php has this code and the original does not:

if(ini_get(register_globals)){
   foreach(get_defined_vars() as $var=>$val){
      if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
         unset($$var);


the gallery file keyword_create_dict.php has this code in it and the original does not:

eval(base64_decode("ZXJyb3JfcmVwb3 (and these numbers and letters go on for nearly 1,300 charectors.)

Lee



simplewebs

I have uploaded 1.4.20 for offshorebarphuket.com after completely dumping the dir except albums. I archived the 2 files stated in the manul for upgrading, added those files to the new upload and the update.php runs fine, everything else comes up with the error stated previously. Any ideas?  Or could this be a database problem?

:) Lee

simplewebs

I did a search for the AVG error message and found that another forum is reporting this to:

http://www.icyphoenix.com/viewtopic.php?f=2&t=5452&p=36758

This is happening to a forum site, rather several of them.

The post shows the same AVG alert I am seeing, a response says it may be a JS/redirector trojan.

I am posting this just for general info, trying to provide as much information as possible on this topic.

Lee

simplewebs

This is just getting better. I just tried to make another dump of the db, and getting the AVG warning, I do beleive this is now an exploit on the sql server.

Lee

simplewebs

Update. I client of mine came over with his laptop, for humor, I had him open the same galleries I am having problems with, and low and behold, he can open them. Researching for a virus on my computer, will let you know what I find.

Lee

simplewebs

Ok, you're all going to love this!

I ran a scan with SuperAntivirus, and it revealed two rootkits, well hidden, but totaly unrelated, they were cleaned, system rebooted, same problem as before.

Decided to roll back the computer to 13 Feb, there was an AVG8 udate on that day. After restarting the computer, I can now view all my galleries!

I called a friend of mine, and he reported the same thing, rolled his computer back to the 13th, before the AVG8 update, because his computer was extremely slow, and some internet pages, not gallery sites, not showing correctly or with similar errors.

So, if anyone is having the same problems, look at a possible "bad" update file by AVG if that is what you are running for antivirus. Sorry to have take up your time, I hope someone finds this useful.

Admin, feel free to change the subject of this thread to "dumb ass who over re-acted"

Thanks.

:) Lee


leddablue

I am having this same problem, so how did you roll back your AVG to before the 13th?  Can I uninstall AVG and install a different virus software? What did you do?  And thanks for the post and keep it updated this error has had me freaking out but when everyone else could still view the site I figured it was something with AVG.

simplewebs

Hi,
Sorry, when I say roll back the computer, do a system restore to the 13th or before (start, all programs, accessories, system tools, system restore). If you have system restore enabled, 13th should have an automatic restore point bacause the update for AVG on that date sets a restore point before trying to update itself.

Disable your internet connection first, if you don't, as soon as the computer reboots, AVG will see an update available and will install it, creating the same mess we started with :(

Then uninstall AVG completely.

Connect to the internet and get yourself a copy of pctools free antivirus, http://www.pctools.com/antivirus/  (scroll to the bottom of the page and you will see the link for the free version.) Install this software, or any antivirus you choose, I chose this one because it does seem quite capable.

Hope this helps.

:) Lee

leddablue

Ok I am not to sure about doing that.   However I did want to mention that I have had others researching this for me and they did find malicious codes so this error is a real error/ it's a redirector/trojan.  If I get my problem fixed I will let you know how it was fixed, but be aware the error was not just there for no reason, I think you may want to check your pages for malicious codes. 

simplewebs

Hi,
I did find some malicious code in one of the photo galleries I maintain, but most of the galleries were not not visable when I had AVG running with the update from the 13th.

Basically you do not need to roll the computer back, just uninstall AVG8 and install another anti virus software.

When I rolled the computer back to the 13th, and removed AVG, all galleries were visable, and the one with the malicious code had a redirector as well, when you load your gallery page, watch the status bar at the bottom of the window, if there is a redirector, you will see addresses appearing that are other than your gallery address.

I also run several online stores using osCommerce, unrelated to Coppermine, but php based application, one of those sites was also showing the same AVG alert, and when AVG was removed, everything worked fine.

The problem is in AVG when it updated on the 13th.

Try this, just turn off AVG and see if the gallery is visible.

I did a complete dump of one gallery minus the album dir which was clean, installed the latest version, and the same AVG alert was showing.

The problem is in AVG on your computer, not the code for Coppermine.

I have an internet cafe, 16 computers were also running AVG and all were showing the same alert. I simply uninstalled AVG and all gallerys are visible on all machines.

Lee

Joachim Müller

Thanks for returning and posting your solutions.

To add to this in a more general scale: sometimes, virus scanners show false alarms (so called false-positives). After all, they need to compare viral patterns in real-time without considerably slowing down a page. With polymorphic viruses, this has become very hard (compared to the viruses that have been around only five years ago). People expect virus scanners to protect them from threads coming from the web. This may result in some virus scanners sounding a false alarm every now and then.

Joachim

P.S. It's impossible to say if exploits are new or old for non-coders. I suggest reporting about vulnerabilities or potential bugs. Exploits are different animals.

simplewebs

Hi Joachim,
No problem on reporting my solution, I found it was easier to remove the AV program and use a new one, after going throught your code (recommended by you in another post/topic) I used winmerge and compared every file, one gallery was attacked but not affected, and the remaining were no differnet that the install files, then I suspected something else and it turned out to be the AV program and an apdate. I have no problem with AVG8 but that one update did cause some concern for me at the time.

Thanks for the reply and the great info on the virus pattern updates. I have also reported this problem to AVG.

Big fan and currently 7 galleries using your software, thanks for a great product!

:) Lee

leddablue

Well I just wanted to give you guys my update. 

I did indeed find a malicious code in my settings.php file it was set up to look like a yahoo counter.  I have not had the problem since I was able to remove the code.  AVG was correct when the error came up on my site as Exploit Link to known exploit site.  I still have AVG runnning and my problem is gone so good luck to you all! 

Joachim Müller

The file settings.php is not part of coppermine btw.

simplewebs

Hi Joachim
I did a winmerge comparison (and stated that I did so) on the two dir's (my master file and the copy downloaded from the site) and only found one file that was questionable, even after correcting that file AVG still showed the same error alert.

Other galleries I did a winmerge comparison on showed perfect files, yet I still had the error showing.

I don't have anything against AVG, maybe just a bad update, or as you stated, a false positive. I haven't heard anything back from AVG yet.

Your instructions for clearing a virus/??? are quite clear, and yes, winmerge is a must to verify the files. Again, great program!

Lee

mark0

This actually IS an exploit.  I spent several days tracking this down. 

After independently confirming and then cleaning the exploit from my database I found a link to others with similar issues.

DO NOT turn off or uninstall AVG.  They are correct in this case. You will be exposing yourself to a virus.

http://www.icyphoenix.com/viewtopic.php?f=2&t=5452#bottom

If you have any questions let me know.

Thanks!

mark0

Sorry I posted the wrong link.  Actually found this on a phpBB site, but it applies here.

http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765

Regards.

Joachim Müller

The payload may be the same, but the vulnerability differs, so you posting is sort-of invalid. An exploit is not the same thing as the payload. We appreciate well-meant suggestions, but please make sure you understand the terms used in the first place.