was hacked? was hacked?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

was hacked?

Started by mipavluk, June 19, 2009, 01:57:50 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

mipavluk

USER:
------------------
Array
(
   [ID] => 07ba398dcc4243cd07aa272eb795d173
   [am] => 1
   [lang] => spanish
   [liv] => Array
       (
       )

)

==========================
USER DATA:
------------------
Array
(
   [user_id] => **
   [user_name] => ********
   [groups] => Array
       (
           [0] => 1
       )

   [disk_max] => 0
   [disk_min] => 0
   [can_rate_pictures] => 1
   [can_send_ecards] => 1
   [ufc_max] => 1
   [ufc_min] => 1
   [custom_user_upload] => 0
   [num_file_upload] => 4
   [num_URI_upload] => 0
   [can_post_comments] => 1
   [can_upload_pictures] => 1
   [can_create_albums] => 1
   [has_admin_access] => 1
   [pub_upl_need_approval] => 0
   [priv_upl_need_approval] => 0
   [group_name] => Administrators
   [upload_form_config] => 1
   [group_quota] => 0
   [can_see_all_albums] => 1
   [group_id] => 1
)

==========================
Queries:
------------------
Array
(
   [0] => SELECT extension, mime, content, player FROM cpg14x_filetypes; (0s)
   [1] => select * from cpg14x_plugins order by priority asc; (0s)
   [2] => delete from `scrappin_gallery`.cpg14x_sessions where time<1245365385 and remember=0; (0s)
   [3] => delete from `scrappin_gallery`.cpg14x_sessions where time<1244159385; (0s)
   [4] => select user_id from `scrappin_gallery`.cpg14x_sessions where session_id=md5("1fbe027c1ae8491b05ef9b4f571f1726d65dcb0a65cf401b221998392559e627"); (0s)
   [5] => select user_id as id, user_password as password from `scrappin_gallery`.cpg14x_users where user_id=1 (0s)
   [6] => SELECT u.user_id AS id, u.user_name AS username, u.user_password AS password, u.avatar_url AS avatar_url, u.enable_admin_email AS notify, u.auto_subscribe_post AS auto_subscribe_post, u.auto_subscribe_comment AS auto_subscribe_comment, u.user_group+100 AS group_id FROM `scrappin_gallery`.cpg14x_users AS u INNER JOIN `scrappin_gallery`.cpg14x_usergroups AS g ON u.user_group=g.group_id WHERE u.user_id='1' (0s)
   [7] => SELECT user_group_list FROM `scrappin_gallery`.cpg14x_users AS u WHERE user_id='1' and user_group_list <> ''; (0s)
   [8] => SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as  priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (1) (0s)
   [9] => SELECT group_name FROM  cpg14x_usergroups WHERE group_id= 1 (0s)
   [10] => update `scrappin_gallery`.cpg14x_sessions set time='1245368985' where session_id=md5('1fbe027c1ae8491b05ef9b4f571f1726d65dcb0a65cf401b221998392559e627'); (0s)
   [11] => SELECT user_favpics FROM cpg14x_favpics WHERE user_id = 1 (0s)
   [12] => DELETE FROM cpg14x_mod_online WHERE last_action < NOW() - INTERVAL 30 MINUTE (0s)
   [13] => REPLACE INTO cpg14x_mod_online (user_id, user_name, user_ip, last_action) VALUES ('1', 'MIPScraps', '190.136.85.21', NOW()) (0s)
   [14] => SELECT count(*) FROM  cpg14x_pms WHERE owner=1 (0s)
   [15] => SELECT count(*) FROM  cpg14x_pms WHERE owner=1 AND showed='0' (0s)
   [16] => SELECT count(*) FROM  cpg14x_buddy WHERE user_id=1 (0s)
   [17] => SELECT count(*) FROM  cpg14x_buddy_req WHERE buddy_to=1 (0s)
   [18] => DELETE FROM cpg14x_banned WHERE expiry < '2009-06-18 20:49:45' (0s)
   [19] => SELECT * FROM cpg14x_banned WHERE (ip_addr='190.136.85.21' OR ip_addr='190.136.85.21' OR user_id=1) AND brute_force=0 (0s)
   [20] => SELECT cid, name, description, thumb FROM cpg14x_categories WHERE parent = ''  ORDER BY name (0s)
   [21] => SELECT aid FROM cpg14x_albums WHERE category = 103 (0s)
   [22] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 103 (0s)
   [23] => SELECT cid, name, description, thumb FROM cpg14x_categories WHERE parent = '103'  ORDER BY name (0s)
   [24] => SELECT aid FROM cpg14x_albums WHERE category = 88 (0s)
   [25] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 88 (0s)
   [26] => SELECT aid FROM cpg14x_albums WHERE category = 113 (0s)
   [27] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 113 (0s)
   [28] => SELECT aid FROM cpg14x_albums WHERE category = 11 (0s)
   [29] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 11 (0s)
   [30] => SELECT cid, name, description, thumb FROM cpg14x_categories WHERE parent = '11'  ORDER BY name (0s)
   [31] => SELECT aid FROM cpg14x_albums WHERE category = 13 (0s)
   [32] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 13 (0s)
   [33] => SELECT aid FROM cpg14x_albums WHERE category = 12 (0s)
   [34] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 12 (0s)
   [35] => SELECT aid FROM cpg14x_albums WHERE category = 14 (0s)
   [36] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 14 (0s)
   [37] => SELECT aid FROM cpg14x_albums WHERE category = 2 (0s)
   [38] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 2 (0s)
   [39] => SELECT cid, name, description, thumb FROM cpg14x_categories WHERE parent = '2'  ORDER BY name (0s)
   [40] => SELECT aid FROM cpg14x_albums WHERE category = 15 (0s)
   [41] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 15 (0s)
   [42] => SELECT aid FROM cpg14x_albums WHERE category = 33 (0s)
   [43] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category = 33 (0s)
   [44] => SELECT aid FROM cpg14x_albums as a WHERE category>=10000 (0s)
   [45] => SELECT count(*) FROM cpg14x_pictures as p, cpg14x_albums as a WHERE p.aid = a.aid AND approved='YES' AND category >= 10000 (0s)
   [46] => SELECT cid, name, description, thumb FROM cpg14x_categories WHERE parent = '1'  ORDER BY name (0s)
   [47] => SELECT aid FROM cpg14x_albums as a WHERE category = '0' (0s)
   [48] => SELECT count(*) FROM cpg14x_albums as a WHERE 1 (0s)
   [49] => SELECT count(*) FROM cpg14x_categories WHERE 1 (0s)
   [50] => SELECT count(*) FROM cpg14x_pictures (0s)
   [51] => SELECT sum(hits) FROM cpg14x_pictures (0s)
   [52] => SELECT count(*) FROM cpg14x_comments (0s)
   [53] => SELECT COUNT(*) FROM cpg14x_pictures WHERE approved = 'NO' (0s)
   [54] => SELECT COUNT(*) from cpg14x_pictures WHERE approved = 'YES'  (0s)
   [55] => SELECT * FROM cpg14x_pictures WHERE approved = 'YES'  ORDER BY pid DESC  LIMIT 0 ,12 (0s)
   [56] => SELECT count(*) from cpg14x_comments where pid=2209 and msg_id!=0 (0s)
   [57] => SELECT count(*) from cpg14x_comments where pid=2208 and msg_id!=0 (0s)
   [58] => SELECT count(*) from cpg14x_comments where pid=2207 and msg_id!=0 (0s)
   [59] => SELECT count(*) from cpg14x_comments where pid=2206 and msg_id!=0 (0s)
   [60] => SELECT count(*) from cpg14x_comments where pid=2205 and msg_id!=0 (0s)
   [61] => SELECT count(*) from cpg14x_comments where pid=2204 and msg_id!=0 (0s)
   [62] => SELECT count(*) from cpg14x_comments where pid=2203 and msg_id!=0 (0s)
   [63] => SELECT count(*) from cpg14x_comments where pid=2202 and msg_id!=0 (0s)
   [64] => SELECT count(*) from cpg14x_comments where pid=2201 and msg_id!=0 (0s)
   [65] => SELECT count(*) from cpg14x_comments where pid=2200 and msg_id!=0 (0s)
   [66] => SELECT count(*) from cpg14x_comments where pid=2199 and msg_id!=0 (0s)
   [67] => SELECT count(*) from cpg14x_comments where pid=2198 and msg_id!=0 (0s)
   [68] => SELECT count(*) FROM cpg14x_albums as a WHERE category = '0' (0s)
   [69] => SELECT user_id,user_lastvisit FROM cpg14x_users WHERE user_lastvisit LIKE '2009-06-18%' (0s)
   [70] => SELECT user_name as user_name FROM `scrappin_gallery`.cpg14x_users WHERE user_id = '427' (0s)
   [71] => SELECT COUNT(*) FROM `scrappin_gallery`.cpg14x_users (0s)
   [72] => SELECT COUNT(*) FROM cpg14x_mod_online (0s)
   [73] => SELECT COUNT(*) FROM cpg14x_mod_online WHERE user_id <> 0 (0.001s)
   [74] => SELECT user_id, user_name FROM `scrappin_gallery`.cpg14x_users ORDER BY user_id DESC LIMIT 1 (0s)
   [75] => SELECT user_id, user_name FROM cpg14x_mod_online WHERE user_id <> 0 (0s)
)

==========================
GET :
------------------
Array
(
)

==========================
POST :
------------------
Array
(
)

==========================
VERSION INFO :
------------------
PHP version: 5.2.9 - OK
------------------
mySQL version: 5.0.77-community
------------------
Coppermine version: 1.4.16(stable)
==========================
Module: GD
------------------
GD Version: bundled (2.0.34 compatible)
FreeType Support: 1
FreeType Linkage: with freetype
T1Lib Support:
GIF Read Support: 1
GIF Create Support: 1
JPG Support: 1
PNG Support: 1
WBMP Support: 1
XPM Support: 1
XBM Support: 1
JIS-mapped Japanese Font Support:

==========================
Module: mysql
------------------
MySQL Supportenabled
Active Persistent Links 0
Active Links 1
Client API version 5.0.77
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib64 -lmysqlclient  
==========================
Module: zlib
------------------
ZLib Support enabled
Stream Wrapper support compress.zlib://
Stream Filter support zlib.inflate, zlib.deflate
Compiled Version 1.2.3
Linked Version 1.2.3
==========================
Server restrictions (safe mode)?
------------------
Directive | Local Value | Master Value
safe_mode | Off | Off
safe_mode_exec_dir | no value | no value
safe_mode_gid | Off | Off
safe_mode_include_dir | no value | no value
safe_mode_exec_dir | no value | no value
sql.safe_mode | Off | Off
disable_functions | no value | no value
file_uploads | On | On
include_path | .:/usr/lib/php:/usr/local/lib/php | .:/usr/lib/php:/usr/local/lib/php
open_basedir | no value | no value
==========================
email
------------------
Directive | Local Value | Master Value
sendmail_from | no value | no value
sendmail_path | /usr/sbin/sendmail -t -i | /usr/sbin/sendmail -t -i
SMTP | localhost | localhost
smtp_port | 25 | 25
==========================
Size and Time
------------------
Directive | Local Value | Master Value
max_execution_time | 300 | 300
max_input_time | 60 | 60
upload_max_filesize | 100M | 100M
post_max_size | 105M | 105M
==========================
Page generated in 0.212 seconds - 76 queries in 0.001 seconds - Album set : ; Meta set: ;

Abbas Ali

Instead of posting the debug info, explain in details what happened. Also provide a link to your gallery.
Chief Geek at Ranium Systems

Joachim Müller

If you think that you have been hacked (although that's impossible to conclude from looking at the debug_output), read the thread "Yikes, I've been hacked! Now what?"

mipavluk

sorry

all my images are missing, all red x, big ones and small ones... all red x

http://scrappingwhispers.com/gallery

Abbas Ali

Your gallery is offline and we can't see anything.

It appears that there is an unwanted .htaccess file in your albums directory. Check it and delete it.
Chief Geek at Ranium Systems

Joachim Müller

Your site is back online and things are as expected: you're running cpg1.4.16, while the most recent stable release currently is cpg1.4.24, so you're running 8 versions behind, i.e. you haven't upgraded for 14 months. That's the reason why you were hacked. Upgrading alone will not cure your infected site. If you're lucky, only the .htaccess file has been dropped that cause your embedded images not to show up because they get redirected to a google page that doesn't exist. Get rid of it and you might be good in terms of sanitization, but we can't promise. Anyway, after getting rid of the .htaccess file you'll at least have to upgrade to the most recent stable release as suggested per docs. It's better though to make sure that you have sanitized. To do so, do exactly as I suggested in the Yikes thread that you have already been told about. The hack you appear to have fallen victim is a very mild one that easily can be fixed. The attacker could have done anything, but he just left a file that redirects, and redirects in a silly manner that doesn't even work. Consider yourself lucky. I find it sad that you haven't been able to find that out on your own just by searching a bit around - I would have searched harder if I would have thought that my gallery was hacked and the result of years of gallery maintenance gone. Anything else?