Phishing trick

[Funster]

Hey folks,

tonight I noticed the following in my gallery: a new user named kktlung registered and immediately uploaded a file named q.php.rar with the following content:

Code Select Expand

<title>nsTView v2.0:: nst.void.ru</title>
<center>
<table width=100 bgcolor=#D7FFA8 border=1 bordercolor=black><tr><td>
<font size=1 face=verdana><center>
<b>nsTView v2.0 :: <a href=http://nst.void.ru style='text-decoration:none;'><font color=black>nst.void.ru</font></a><br></b>
</center>
<form method=post>
Password:<br>
<input type=password name=pass size=30 tabindex=1>
</form>
<b>Host:</b> www.domain.tld<br>
<b>IP:</b> 81.169.138.98<br>
<b>Your ip:</b> 84.131.56.144
</td></tr></table>
(domain.tld was altered by me)

Well, I deleted the whole thing, what else would be better? But if you search the web for the specific user name or the name of the file, you get some hits.
What do you think about it?


Keep your eyes open, guys!

Cheers,
F.

[kegobeer]

There are already discussions about the rar trick.  Please search before posting.

Don't allow rar files to be uploaded; verify people before allowing them access to your gallery; don't allow uploads; make your host properly configure the server so rar files are handled correctly.  All excellent ways to protect your gallery.

[Joachim Müller]

http://forum.coppermine-gallery.net/index.php?topic=29063.0
http://forum.coppermine-gallery.net/index.php?topic=22806.0
and some others. Actually, this is not a phising attack, but the server vulnerability can be used to even take over your server and execute any code.