Under Attack Under Attack
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Under Attack

Started by wildwalker, May 29, 2018, 11:50:51 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

wildwalker

Hello All,

For the last few days I have had someone (something) looking at the same two images over and over. The number of views can be around a 100 or so per day, maybe slightly more. The source IP is always the same.

Coppermine Gallery version is 1.6.03 (stable)

So far I have:

Banned the IP several times, it just changes.
Deleted the first two pictures (its always two pictures that are targeted) to see if a second set of images is targeted, from the same IP, and it is.

This is what I see in wireshark - 436   100.049282   195.154.187.229   192.168.1.11   HTTP   600   GET /displayimage.php?album=28&pid=4922 HTTP/1.0

So I can't block them via IP Address.
I am trying to get the MAC, to see if I can block this in the router (assuming it's not spoofed)

Does anyone have any insight in to what these people are trying to do, and how I could stop it?

Thanks All.

ron4mac

#1
It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.

ron4mac

Rather than trying to block IPs, I run a PHP script via cron once everyday that emails me about any new or changed files. When I've caused changes to the site I just pull up the script and regenerate the snapshot.

wildwalker

Quote from: ron4mac on May 29, 2018, 01:57:17 PM
It's coming from poneytelecom.eu
https://www.systemtek.co.uk/2017/08/blocking-poneytelecom-eu/

It may be trying to exploit some old security hole that may have existed in older CPG versions.

Hello ron4mac. I have checked each IP as they have come in, and some are listed as Russian, some from France. I did think they are trying to find an older security flaw, but wanted to check that there wasn't a newer one I had missed, hopefully this attack will end soon when they realise they are banging their head against a wall.

I will continue to ban their IPs, I might even plug in a Cisco use a country wide ACL list :)

Thanks for the reply.

wildwalker

Just a quick update.

So first of all I banned all of the following IPs from your link.

62.210.0.0/16
195.154.0.0/16
212.129.0.0/18
62.4.0.0/19
212.83.128.0/19
212.83.160.0/19
212.47.224.0/19
163.172.0.0/16
51.15.0.0/16
151.115.0.0/16 (Added 29-08-2017)

I continued to ban each IP Address (actually on a subnet level /16) that was used, and the frequency of attacks slowed, until yesterday when, after adding the last IP range, it stopped :)

Additional bans are:

46.161.0.0/16
195.154.187.0/24
195.154.0.0/16
151.106.0.0/16

Now, they could have just given up, but either way I wanted to share this information as if they are not attacking my site, they probably moved on to attacking someone else, if so hopefully this information will be useful.

Thank you for your help.

Alan.

jksobonya

Thank you so much wildwalker for posting this information! I am not on cpg 1.6 yet, but I noticed this exact issue happening to one of my Coppermine galleries about a month ago. It didn't make a lot of sense to me why the first 2 images in "Last Additions" were getting many more hits than other recently uploaded images. I have blocked the IP addresses mentioned here in hopes of stopping this.

Thanks!

--Jessica

jksobonya

Hello,

Replying again - just wondering if anyone else is having this issue, as this continues to be a problem on my sites. It's not urgent, just annoying. I wonder how many people this is happening to.

Thanks!

--Jessica