Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]

Started by sion3000, December 21, 2004, 10:28:21 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sion3000

Hi

I went onto my coppermine photo gallery today and i was shocked to notice that instead of taking me to the usual front page, it gave me a message  :\'(:
========
This site is defaced!!!

--------------------------------------------------------------------------------

NeverEverNoSanity WebWorm generation 16.

Fatal error: Call to undefined function: breadcrumb() in /files/home/sion3000/Coppermine/index.php on line 118
========

It gets an almost the same error if you click a different link to get into the gallery.

The web site is: www.coolshots.co.uk and you can access the gallery by clicking any of the photos or by clicking Photo Gallery at the top of the page.
Direct link to the gallery is: www.coolshots.co.uk/Coppermine

I have had a quick look in the code but i am not expert not even a novice realy. Everything looks normal. Im currently running version 1.2.1      ???


All ideas and solutions welcome.


Thanks and have a merry xmas.

Sion

[edit GauGau]
Changed this thread's subject from Need some advice with my coppermine gallery please to Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] and made it a sticky.
[/edit]

kegobeer

Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

kegobeer

Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Tranz

@sion3000, are you running a phpbb forum older than 2.0.11? I'm just trying to see if there is a pattern.

sion3000

Im only running the Coppermine Gallery, no forums or anything else.
At the moment trying to find out what version of php the server uses where my site is hosted.

Thanks

Tranz

In coppermine, go to Admin Tools / phpinfo. It will tell you your php version.

sion3000

Hello again, well ive just been talking to my contacts at my ISP and they are telling me they have been hit by the worm, its managed to get into the main server and overwrite everyones php files, to some extent apatr from phpbb.

So im gona start looking for my back ups!

thanks for everyones help. I think we can prety much call this one solved!

thanks
Hope everyone has a great xmas and a happy new year!

gibblesmg

To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.

Aditya Mooley

Quote from: gibblesmg on December 22, 2004, 03:55:31 AM
To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
The only solution to this is to upgrade to PHP 4.3.10 or more.
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Hein Traag


djcrash

Understand I help to handle (to settle) from this hold-down problem 3.4.10 entirely PHP? If I write it for administrator so e-mail.
Please, < ask > about answer.

Joachim Müller


jack

Versions of the worm will deface any site it can find on a server. If someone else on your server has a vulnerable version of phpBB, and other countermeasures are not implemented by your server host, your site will be defaced through no fault of your own.

A newer version of the worm will install an IRC controlled DDOS bot instead (or as well as, I'm not sure yet) of defacing sites.

The worm will try any and every php file it can find even though they are not necessarily phpBB. This will push your bandwidth usage through the roof. To guard against that, you can either edit each and every PHP file to just abort when it gets queried by the worm (easier siad than done) or if your host has mod_rewrite (most apache installations do), put the fllowing into a .htaccess file :-


        RewriteEngine On

        RewriteCond  %{QUERY_STRING} &cmd=cd%20/tmp;
        RewriteRule  .* - [F,L]


This will block the three variants that I am aware of. I will update this if needed as time progresses.

Although this worm only affects phpBB, I would not consider php 4.3.8 'safe'. Hosts need to patch the problems in earlier versions or upgrade to 4.3.10
Please do not contact me for support directly - instead: post on this board!