upload.php exploit

[twocups]

My box, running 1.4.4 has been root kitted by an exploit in the upload.php file. Is this a known exploit? Who should I contact to share info?

[Joachim Müller]

Post what type of files has been uploaded. Blind guess: you have fallen victim to the rar vulnerability that exists on outdated apache webserver setups. This is not related to coppermine, but a webserver vulnerability. Read the threads that deal with it: http://forum.coppermine-gallery.net/index.php?action=search2;search=rar
If this vulnerability doesn't apply for you, please contact me over PM, providing as many details as possible.

[twocups]

Its .gz not .rar, same problemo I expect. (PM sent)

[Joachim Müller]

you could have posted your PM publicly as well, as it doesn't contain sensitive information. Yes, imo you have been attacked using the same exploit that I refered to above.

[twocups]

Ok, here is my post for those interested. Something to watch out for.


Looks like RAR was attempted first "Destroyer57.php.rar" in the userpics directory.

However, that file just downloads doesnt run. Its actually a .gz file that was uploaded ("a.php.gz") - which contains a copy of a rather nasty looking phpRemoteViewer. For some reason mr hacker then installed a further file "xp_publish.php" in the root directory - same software.

Im running apache 2.2 (is that outdated?!) I assume apache is decompressing and running .gz files on the fly...

[Nibbler]

2.2 is the latest version. Your server is setup to run anything that looks like a php script using php, regardless of the file extension.

[twocups]

Yeah, ill have a look at that. See if it can brew beer without being asked too!

Thanks for your help all,

James