New exploit in 1.3.3? New exploit in 1.3.3?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

New exploit in 1.3.3?

Started by Jackal, July 07, 2005, 05:12:06 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jackal

Hi guys, First I've got to say that Coppermine 1.3.3 is awesome - a lot of work and well appreciated.

I've been using it for about 4 weeks without a problem - but about 5 days ago it was compromised in some way.

There any multiple problems from registered users being unable to set up new albums or upload files, to at worst - all users deleted along with their albums, images and database records.

My hosting Company says I am the sixth client who has complained of this problem in the last 10 days - but have scanned their systems and claim that the system is clear.
I've tried installing a new incidence of 1.3.3 in a new directory with a new database - but after getting a new user on - everything got deleted when I tried to use the admin account...

Any bright ideas anyone? Your help is appreciated

Tranz

Just to eliminate other factors, have you changed your webhost and gallery account passwords in case that is how the attacks are occurring?

Jackal

Thanks TranzNDance - That's what I thought of first. Changed account access info then put up a new installation of 1.3.3 with different access info - but the problems were still there despite the "clean" system

kegobeer

What other PHP apps are installed on the server?
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Jackal

Hi Kegobeer - now that sounds ike a good idea right now...

So far as I can tell, here is a complete list of php apps running on this server:   

Fantastico.  CpanelX.
    Blogs: b2evolution, Nucleus, pMachine Free, WordPress 
    Content Management: Drupal, Geeklog, Mambo Open Source, PHP-Nuke, phpWCMS, phpWebSite, Post-Nuke, Siteframe, Typo3, Xoops 
    Customer Relationship: Crafty Syntax Live Help, Help Center Live, osTicket, PHP Support Tickets, Support Logic Helpdesk, Support Services Manager 
    Discussion Boards: phpBB2, SMF 
    E-Commerce: CubeCart, OS Commerce, Zen Cart 
    F.A.Q: FAQMasterFlex 
    Guestbooks: ViPER Guestbook 
    Image Galleries: 4Images Gallery: Coppermine Photo Gallery, Gallery 
    Mailing Lists: PHPlist 
    Polls and Surveys: Advanced Poll, phpESP, PHPSurveyor 
    Project Management: dotProject, PHProjekt 
    Site Builders: Templates Express 
    Wiki: TikiWiki, PhpWiki 
    Other Scripts: Dew-NewPHPLinks, Moodle, Noahs Classifieds, Open-Realty, phpAdsNew, PHPauction, phpCOIN, phpFormGenerator, WebCalendar

In fact - not a bad list if not for the problems...

Joachim Müller

whew, what a list... Do all of the other apps still work as expected?

Jackal

The only other application I've tried from the list was "Gallery". This was after the problems started - and an attempt to get around the problem.

It seems to have been affected as well, I followed the installation guidelines but couldn't set up users properly.

donnoman

are you sure this isn't a database server issue? It may be that the mysql server is hosed and this has nothing to do with the webserver.

Jackal

Thanks for the suggestion donnoman - never considered that might be the problem. Have contacted our Hosting Co. and am waiting for their findings.

Jackal

It seems that my hosting Company are incommunicado - I've had no email response from them about the possibility that the database server may be the root of the problem -  and they can't be raised on the telephone.

What doesn't seem to fit thought is that I have other handbuilt php routines running on this website that use added tables to the Coppermine database. These are all unaffected by whatever is causing the problem. What gets affected are the cpg133_albums, cpg133_pictures, cpg133_users tables plus all of the image folders in the userpics directory get emptied...

Anyone recognize the symptoms?

donnoman

Are contents IN the tables when you look at them with something like phpmyadmin?

Are there files in the albums/userpics directory or do the files really go missing after they've been uploaded?

How long does it take for the entries in the db, or the filesystem to go MIA.

Do you have access to the http access logs to your site? Have you reviewed them for suspicous activity?

Jackal

Hi donnoman

1) The contents were in the tables before they get deleted - not there afterwards - checked by phpadmin also by viewing exported sql data in notepad.
2) The files in userpics/albums are completely deleted - vanished without a trace
3) The files and db records go missing within seconds of any attempt to access registered user data as an admin user
4) I checked through all the logs when it happened the 1st time. All were normal users - and only accessed non-critical parts of the system.

My belief is that the contamination was lurking for some time - I hadn't used the admin panel for about 3 weeks - so it could have been any time in the interim that I was struck...

It seems strange that nobody else is reporting similar problems like this. My web hosting Company seem to have forgotten about me on this issue - that or they've left the Country.

donnoman

Considering everything you've posted thus far, I'd change webhosts.

I'm curious about your last statements though.

Would you mind zipping up your entire website, and let me download it. I want to see if I can find where the code has been injected. If you want to make other arrangements PM me.

Jackal

donnoman

Have sent a pm to you with details of download url.

Thanks