Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 7 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 7
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nibbler

I don't see how update.php can be exploited - it doesn't take any user input. I think that's just used to find out what table name prefix you are using.

mr.goose

@ Nibbler:- Hmm. I guess with a highly systemic attack it is hard to determine exactly what does what. And your knowledge far outweighs mine. However (and I am guessing here) if this is an automated attack and if it cannot get the table prefix in order to write to the desired table, then the hack is pretty much stymied - albeit until the hacker works out another way to get the info he needs of course.

In any event, it seems to me that the fact the hacker can write to the database at all is of the greatest concern. We need to understand the mechanism the attacker has used to do this, don't you think?
Best wishes, G.
Ps My cpg_config still remains unaltered, I'm very glad to say.  :)

dochlaggie

This is a nightmare. I updated, so i thought a site that was hacked with this file a week ago. I updatde to 1.4.16  and guess what this morning, I am hit yet again.

GloryOfCreation.net

Well, I had the same problem and just overhauled my gallery. Backed up everything, deleted everything except Albums, went through albums and replaced any html or php files (ended up only being index.html files), then re-uploaded the newest version (doing just the update didn't work for me).
For now, it is working: http://www.gloryofcreation.net

GloryOfCreation.net

nevermind. sorry. main gallery looked fine. individual albums aren't loading correct.
Think I'm just going to delete everything, upload my latest backup (Feb28th), and update to the newest.

laurie1681

I was hacked too, i modified all the files all works fine except that when they enters my site (via joomla).
Users who use IE still get the trojan.

I'm using firefox and it is fine.

I have a question,
did the database get hacked too or just the files?



oneoddsock

one of my galleries was compromised also, slightly annoying but these things happen.

I am curious is 1.4.16 vunerible to the exploit - from what I have read I believe it is and that 1.4.17 contains the fix?

looking at the patch and changes to the upload code in http://forum.coppermine-gallery.net/index.php?topic=51787.0 it's a fix to stop an SQL injection from the part of the code that says "WHERE mime='$URI_MIME_type' - that much I think I understand

however, looking at the upload code, I do not understand how an attacker can get to this line of the code unless they have a login or permission to upload files, my coppermine galleries (prior to being compromised) were set to only allow logged in users to upload and the galleries were closed to new signups..


// Check to see if user can upload pictures.  Quit with an error if he cannot.
if (!USER_CAN_UPLOAD_PICTURES && !USER_CAN_CREATE_ALBUMS) {
    cpg_die(ERROR, $lang_errors['perm_denied'], __FILE__, __LINE__);
}

how does attacker get to the injection line?

marian

I have discovered that this is NOT something new.
The Trojan concerned (or one of them) - HARNIGz - was first reported as infecting PCs in July 2004 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FHARNIG%2EZ&VSect=T.
In May 2006, it was used to infect various servers by taking advantage of an exploit is the Invision BB script.

I discovered this info after a strange event caused me to do a Google search for loadadv598.
The strange event was this:
I was checking this thread when AVG popped up saying that a Trojan horse downloader had been found and cleaned in TempInternetFiles/ContentIE5/VHDO0E/loadadv598[1].exe. What was strange is that I was not using IE5, but Firefox - in fact IE5 has NEVER been on this particular laptop! So, I searched Google for loadadv598 and found that this thing has been around for a long time.
Not sure how that helps, except that it does mean there is info out there - for those who understand it - about this things modus operandi.

Hercules24

I was using 1.4.16 and got hacked too :(
ALL .html and .php files on every directory of my sites (>700 dirs/100+files) did have an extra line of iframe code attached.
Luckily all those files I have back ups from.
I uploaded all new 1.4.17 CPG files and manually restored my include/config.inc  and ran the update.php
It seems everything is working fine again http://kuikens.com/pictures/
Hopefully this stinker didn't infect the dbase or other non static .html or .php stuff.
Too bad even running on the newest CPG update didn't protect me this time as I was infected 2,5 days before the 1.4.17 release.

Joachim Müller

For the very last time: stop the "me too" postings. Don't force me to lock this thread.
And for the very last time: upgrading alone will not sanitize a gallery that has already been infected. Therefor, you'll experience what you're refering to as re-infection.

Llama8668

Could you not post and straightforward guide to sanitisation (it's been mentioned numerous times by yourself but I've yet to see anything particularity clear as to how to do this in simple terms). Coppermine is used specifically because it's easy to install and use with limited understanding of the functionality behind it. It's hardly surprising that people are calling out for easy to understand help.

I get that you can run forums as you wish (by the looks of things most of the admins / mods have a similar attitude towards support) but it's flaws in your software which are killing sites across the internet (the fault allows for the spread outside of the coppermine gallery itself which makes it much worse). I've noticed Google is even beginning to flag an effected sites as malware infected if the hack is present when they crawl it, blocking connections (as do browsers like firefox which integrate threat warnings from stopbadware.org). I don't think it's too much to ask that a place be setup to provide support for the many effected users (and the only reason people are stepping to to provide suggest solutions is because of the lack of official, easy to understand responses).

pspmichael

Quote from: shiftsrl on April 10, 2008, 09:05:35 AM
This shit happened again with the only difference that this time the 142739_298w3 file is not present on the directory indicated /userpics/1001/142739_298w3.jpg. I'm the admin of my gallery and the only one that can upload. in any case I had URI upload enabled for the administrator and I've disabled it.
Let us all know of any patch to avoid this...
Thanks

I feel for you man, I got hit too.  I spent most yesterday trying to figure out why antivirus programs were saying my site was trying to install a trojan.  I finally caught sight of the cdpuvbhfzz reroute at the bottom of the screen.  A Google search brought me here and to the answer to my problem.  Over 100 php files infected with his iframe command.

I don't understand how these people get away with this.  I mean look at all the information they have on the guy, http://whois.domaintools.com/cdpuvbhfzz.com, and he owns 8 other domains!  So why don't they go and arrest the little sick bastard?  If it's because of money, I have the solution.  Take everything he owns and sell it.  Add to that any all money from banks and other holdings.  Announce the total and sell raffle tickets.  In order to win the raffle, you must be one of the pay per view customers that paid to watch his arrest live and then another pay per view event for the sentencing.  If the sentencing were to be something like hanging them from their thumbs while being caned or hung by some other part of the anatomy while being caned, then tarred and feathered.  After getting tarred and feathered they have to walk to jail ... and we can see it all live on pay per view!  Man I would pay to see that!  Maybe the pay per view people could be in a lotto to win free tickets to see it in person and participate in the tarring, feathering or caning.   Now that's what I call Reality TV at it's finest!

sharpo

Is there a simple set of instructions to follow?

If mods can't give answers, where else can we look for help?
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

volksfahrer.nl

Quote from: Joachim Müller on April 13, 2008, 04:19:37 PM
And for the very last time: upgrading alone will not sanitize a gallery that has already been infected.

I read this topic over and over but what does sanitize it then?
I can't find it.

Quote from: Llama8668 on April 13, 2008, 04:54:02 PM
Could you not post and straightforward guide to sanitisation (it's been mentioned numerous times by yourself but I've yet to see anything particularity clear as to how to do this in simple terms). Coppermine is used specifically because it's easy to install and use with limited understanding of the functionality behind it. It's hardly surprising that people are calling out for easy to understand help.

I get that you can run forums as you wish (by the looks of things most of the admins / mods have a similar attitude towards support) but it's flaws in your software which are killing sites across the internet (the fault allows for the spread outside of the coppermine gallery itself which makes it much worse). I've noticed Google is even beginning to flag an effected sites as malware infected if the hack is present when they crawl it, blocking connections (as do browsers like firefox which integrate threat warnings from stopbadware.org). I don't think it's too much to ask that a place be setup to provide support for the many effected users (and the only reason people are stepping to to provide suggest solutions is because of the lack of official, easy to understand responses).


Ditto on this.
Loads of things written in this topic but no REAL solution yet.

Joachim Müller

Quote from: Llama8668 on April 13, 2008, 04:54:02 PM
Could you not post and straightforward guide to sanitisation (it's been mentioned numerous times by yourself but I've yet to see anything particularity clear as to how to do this in simple terms).
I'm currently working on such a guide. If you can't wait, come up with a newbie-proof explanation by your own ::).
However, I'm not inclined to post such instructions for people like you who are ungratefull of what you get for free. Yes, your site got infected by a jerk who ran an exploit against a vulnerability that existed in coppermine. The vulnerability has not been detected before, so it was not our reluctance to close a security hole that we already had been aware of that lead to the outbreak, as we haven't been aware of the vulnerability before. Coppermine has been created by humans, and humans make mistakes. The vulnerability has not been added on purpose. After all, we provide an application that you're free to use or not to use. It doesn't come with any warranties (see the license disclaimer!). Every piece of non-trivial software contains bugs. Sadly, this bug led to your site getting hacked. Yet there is no reason to acuse us. Acuse the jerk who hacked your site if you want (as pspmichael did), but don't blame us for your site getting hacked. It takes time to come up with cleaning instructions that everyone can follow - I have already posted the basic principles which should be enough for people who know their way around, so if you can't wait, hire a pro to get the sanitization done by him.
After all, it's beyond the scope of this support board to come up with such a sanitization instruction, yet I'm working on it because I can see the need for such instructions for newbies.
Bottom line: don't use pre-made applications that allow user input if you're afraid that incidents like that can happen. You could have made some precautions yourself by performing frequent backups, yet you probably haven't. If you have backups, just roll back your last known-good backup, close the vulnerability hole and you'll be good.
Stop wasting my time, forcing me to reply to such acusations like yours; I could spend the time better working on the instructions instead of having to reply to postings like yours.

For the very last time now: everybody stop replying to this thread with invalid remarks or I'll lock this thread and make sure that only users who haven't misbehaved will be able to see the instructions I'm working on. I mean it!

Joachim

Joachim Müller

Quote from: sharpo on April 13, 2008, 05:58:38 PM
Is there a simple set of instructions to follow?

If mods can't give answers, where else can we look for help?
I already explained that you mustn't ask the same question over, neither on this thread nor in any other thread. You mustn't post new threads to avoid what I said above. I merged your thread with the one that already exists. Patience, grasshopper.

marian

Quote from: Joachim Müller on April 13, 2008, 06:21:29 PM
However, I'm not inclined to post such instructions for people like you who are ungratefull of what you get for free.
I don't think anyone is ungrateful for what they get for free. Certainly, I will be the first to say that, without Coppermine, we could not have built up a much applauded gallery, with over 55K images that have been viewed over 5 million times and we have recommended the script to many people.
At the moment, it is not being viewed by anyone as we have disabled access. This is because all our IT people - host, webmaster, security advisor - are convinced that we were genuinely re-infected AFTER disabling our only URI upload. Given the server log entries and the efforts made using scripts and manual inspection to ensure that "sanitisation" was complete, we do not believe this was merely a "so-called" re-infection, but a very real one.
What concerns me is that, since you are working on "sanitisation" instructions, you must believe that the patch has solved the problem, whereas we agree with mr goose, who posted "I suspect that the 1.4.17 patch only addresses one vulnerability."

oflus

Indeed people, stop pushing them and give them the time to come up with a workaround of the issue. Unless you have hard evidences that the new patch does not work, I also think you should not post here.

About recovering your galleries, you can also ask your host to assist you. For example, I host my gallery at SiteGround (hope I am not breaking any rules by mentioning them) and once I reported the issue to them, they immediately cleaned my entire hosting account from the malicious code and upgraded my gallery. And this for about 5-10 minutes. They also informed me that are working on a global resolution, which will prevent this issue from happening again on server level and it will be applied in a day or less.

I am sure that there is a simple shell command that you can think of to clean up your infected files, by using perl or sed.

Oflus

marian

Quote from: oflus on April 13, 2008, 07:16:48 PM
I am sure that there is a simple shell command that you can think of to clean up your infected files, by using perl or sed.
Wonderful!!
Has it not occurred to you that most people with Coppermine galleries will not have a clue what you mean by "simple shell command", much less how to use one?
I am sure this will earn me a greater negative Karma rating, in the Gau Gau system, and – almost certainly - a ban, but I don't care one bit. I have thought a great deal, over the last few days, before posting this and have decided to do so, not for my personal benefit, but for that of others.
My principle reason for posting is because several people – most of whom we do not know – have asked us "Do you think the latest loadadv598 attack could be a deliberate attempt to destroy Coppermine, because of the contempt with which the authors treat people?"
There is IMO a fundamental flaw in the concept of Coppermine "support", in that my idea of "support" seems to be very different from what happens on this forum, which is – from my own perception and those of the people who have contacted us – a place where fear reigns, among those seeking support, created by a "you will do as I say, or else" attitude among those who are supposed to be providing that support.
I don't pretend to fully understand karma, in any real Indian religion sense, but I believe in it and realise that I always tried to live by its concept, even before I had ever heard the word.
In my book, someone with positive karma is a good person, someone who is totally loyal to friends, supportive of acquaintances and tries to be kind to others who cross his/her path. In other words, you do unto others as you would have others do unto you and, if what you do is positive then your "karma" or whatever you, personally, call it will be positive. On the other hand, if what you do to others belittles them and is cruel to them, your karma will be negative.
As I see it, positive karma is not something you get for answering questions on a forum and I consider it arrogance for any human being to believe that THEY have any right to designate anyone's karma, by a process of "clicks" delivered by one man and his sycophants.
Let me tell everyone here why my karma on this forum is -5. Not long after we installed Coppermine, I was informed, by GauGau, that I had been banned for having removed the Coppermine link from the bottom of my Gallery. I was furious, because I had done no such thing, so I registered under another name and informed GauGau that I had not done this and, indeed, would not (in those days) have had a clue how to; something that should have been obvious to him from the very basic nature of the questions I had been asking. The result was that he admitted that he had made a mistake, because he had been viewing our Rainy Day template in bright sunshine and couldn't see the Coppermine link. Did I get an apology from him? No! Instead I got the ban lifted and that -5 karma. In my book, GauGau was the one who earned negative karma for his false accusation, not me for defending myself and pointing out that his accusation was false.
The reaction to this saga of the loadadv598 trojan is IMO typical of where this so called support forum falls apart.
April 6 Htgguy reported the problem. He was immediately given the standard "Upgrade" and "Instructions are in manual" stuff.
April 7 GauGau was suggesting that people were jumping to conclusions and this was not just a Coppermine exploit.
April 8 GauGau was still telling people to upgrade and upgrade other apps.
April 9 GauGau posted Most replies on this thread (except the report by mr.goose) are invalid. Please don't PM me. Instead, read up what I suggested in this thread and post your report. Everyone who has been running an older version than cpg1.4.16 when he/she got infected should try to fix this on his own and not reply here. Keep this thread clean with only valid postings.
April 9 5 ½ hours after that GauGau post, Nibbler had figured out one exploit.
So, it took 3 days before any serious reaction to a major hack occurred!! The only reason for that delay, as far as I can see, is that the majority of Coppermine users have no sense of being in a supportive atmosphere, but are terrified that reporting their concerns will result in a ban that might make it hard for them to continue to operate their Coppermine gallery. GauGau's last post on this thread illustrates this perfectly. "I'll lock this thread and make sure that only users who haven't misbehaved will be able to see the instructions I'm working on. I mean it!"
Recognising that those affected by this hack needed to talk, but recognising equally that those who were trying to solve the problem should not be bothered by such distractions, I tried to help all concerned by starting a self help thread. GauGau locked it. Why? Can he not see that those of us who are affected, whether it is people like us with a huge gallery, or an individual who is proud of his/her personal gallery, need to feel that they are not alone?

marian

I should add that my main motive for posting the above is simply because I, like mr goose, DO NOT believe the latest patch has entirely addressed this problem and I would like to feel that those who might have useful info to contribute, but are afraid to do so, could be encouraged to come forward.