Preventing Phishing Hacks Preventing Phishing Hacks
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Preventing Phishing Hacks

Started by bfrd, October 23, 2008, 07:03:45 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bfrd

I got notified this morning by Wells Fargo that a Phishing site was being run off of my domain. The link was to a site being hosted within the userpics folder of my coppermine installation.  The installation was old I had been too busy to keep up with the updates.  Regardless I found some time this morning and upgraded 1.4.4 to 1.4.19.  The upgrade was simple and there were no problems that I could find.  While there is a wealth of information on the installation procedures, I couldn't find much on hardening the installation.  The userpics and other albums are being created with 777 since anything less than that will cause ImageMagick to fail.  My first glance would tell me that anything with wide open permissions like that is just asking for trouble.  Since php files had to be uploaded I am not sure exactly how the hacker got the files to my site.  I do have FTP access to the albums directory and have changed that password to make sure.

I have looked over the documentation a few times this morning, and haven't found a guide to securing the application.  Perhaps I missed it, but does anyone have any ideas on how to prevent this sort of attack in the future?

Thanks

Joachim Müller

#1
Quote from: bfrd on October 23, 2008, 07:03:45 PM
The installation was old I had been too busy to keep up with the updates.
That was the reason for being hacked: the attacker probably used known flaws.
http://forum.coppermine-gallery.net/index.php/topic,51671.0.html
http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
Not related to initial install, moving accordingly.

Bottom line: to prevent any type of hacks (phishing or other), keep your coppermine (or any other app you run) up to date . Looking into such minor issues as permissions after having been hacked and after having been reluctant to upgrade for years sound a bit inadequate to me. You didn't care, and you have been taught a lesson for that.

bfrd

My question was not addressed.  Besides installing the most recent version of the software what actions should be taken to help prevent attacks coming in from coppermine?  Obviously flaws happen, as the application was installed per the directions at ver 1.4.4.  I trusted the software then, I don't want to make the same mistake again.  And just for the record, being busy is not the same as being apathetic.

Joachim Müller

The script needs permissions to create folders and files within the albums folders. This being said, it's up to you to figure out what level of permissions is needed to allow the script to do what it needs to do without allowing hackers to run havoc on your page. This related to webserver setup, not to coppermine. You can't expect an easy answer like "CHMOD to XYZ and you'll be fine", because there can not be such a type of answer. Your question is invalid in the first place: your reluctance to upgrade got you hacked. The attacker probably used vulnerabilites that existed in old, outdated versions of coppermine to gain control over your site. They would have been able to do so no matter what level of permissions you would have set up on file system level, as they probably used a vulnerability in Coppermine to get in. What do you expect? A miracle "super-safe" setting in coppermine? OK, I have such a recommendation for you: set permissions (CHMOD) to 000. This will make sure that you won't get hacked, with only the smal drawback that you won't be able to use coppermine any longer ::).

This being said, in a reply to your original question
Quote from: bfrd on October 23, 2008, 07:03:45 PMdoes anyone have any ideas on how to prevent this sort of attack in the future?
Yes: keep your app up to date!

Quote from: bfrd on October 23, 2008, 11:50:41 PM
My question was not addressed.
It was. Read my reply!

Quote from: bfrd on October 23, 2008, 11:50:41 PMAnd just for the record, being busy is not the same as being apathetic.
I didn't say so. I said that you have been reluctant to upgrade. I didn't say that you were lazy, although one could conclude that from what you said above... ;)

bfrd

Regardless of your condescending attitude, your second reply at least clearly answered the question.  Other than keeping the application up to date or completeling disabling it there is no way to protect against hacks.

And again your assumptions are false.  I was not reluctant to upgrade, I was unware how insecure my version of coppermine was.  Being reluctant to upgrade would have been knowing that it was full of security flaws and then chosing to do nothing about it.  As I said earlier I trusted the software before, that will not happen again.  Is there a mailing list to inform users of updates, or do we just have to check back daily?

SaWey

You can subscribe to the RSS feed on sourceforge: http://sourceforge.net/export/rss2_projnews.php?group_id=89658
This will keep you up to date on the whereabouts of Coppermine.