possible virus discovered in shell.php - help please possible virus discovered in shell.php - help please
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

possible virus discovered in shell.php - help please

Started by arjay, October 28, 2008, 01:40:55 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

arjay

Hi all

Sorry if this is in the wrong place.  I was looking for a security forum or similar but can't find the right place.  Mods please move if necessary.

OK - I am running 1.4.19 but this issue refers to before May 20 2008 and would relate to whatever was the version prior to that date.

On that date I moved my website www.solclassiccarclub.net from Mercury to a new host (Netpivotal).  This was done by downloading a tarred file of the site, plus the databases, which were then uploaded and untarred by the new host on a linux server.

Yesterday I wanted to download a backup of the site to try it out on a local server PC running win 2000.  Netpivotal require you to ask for a zip file to download, which they prepare for you (can't do it yourself apparently).  I downloaded the zip file and unzipped it on a PC running win 2000.  Avast AV then immediately threw a warning for the shell.php file in /images/gallery/plugins.  I quarantined the file on my PC and renamed the same file on the actual website.  I have opened the file in a text reader on another (linux) PC and it appears to be something nasty - lots of four-letter words etc.

My site seems to be running normally, including the gallery, but i am nervous about about what damage might have been done.  I also want to change the admin name and password but can't find an easy reference to this.  Is it done in the gallery itself using admin rights or in a database?

Could anyone advise on what else I  should do now?

TIA

Richard

Joachim Müller

Since you haven't provided a sample of the malware nor any valuable piece of information we can hardly suggest anything. The file shell.php is not part of coppermine's core.

To change your password, log in as admin, click on "My profile" and then on "Change my password". One issue per thread!


arjay

Quote from: Joachim Müller on October 28, 2008, 11:17:23 PM
Since you haven't provided a sample of the malware nor any valuable piece of information we can hardly suggest anything. The file shell.php is not part of coppermine's core.

To change your password, log in as admin, click on "My profile" and then on "Change my password". One issue per thread!

Thanks for your reply.  I did not think it was a sensible thing to do - attach an infected file to a post in this forum - at least not without some advice from someone more knowledgeable about these things.  It is reassuring to know that shell.php is not part of the core program.  I am more than happy to post it or send it elsewhere if you think that is OK.

Sorry about asking two questions, though they seem logically related.  Anyway after seeing the treatment others get from you I reckon I got away with it lightly ;D

Thanks again....

Joachim Müller

Quote from: arjay on October 29, 2008, 08:38:32 AM
I did not think it was a sensible thing to do - attach an infected file to a post in this forum
Rename shell.php to shell.php.txt, then attach that file to your posting here (using "additional options" when composing your message). Post a textual warning with your posting. That's it. We can't fight what we can't see.

Quote from: arjay on October 29, 2008, 08:38:32 AM
Anyway after seeing the treatment others get from you I reckon I got away with it lightly ;D
Want a snotty reply? ::)

arjay

Quote from: Joachim Müller on October 29, 2008, 11:43:45 PM
Rename shell.php to shell.php.txt, then attach that file to your posting here (using "additional options" when composing your message). Post a textual warning with your posting. That's it. We can't fight what we can't see.

OK - I attach the file as per your request.  WARNING: THE ATTACHED FILE HAS BEEN WRITTEN/HACKED WITH MALICIOUS INTENT.  It has been posted for diagnostic purposes only. 

QuoteWant a snotty reply? ::)

No thanks!!  Actually, I am full of admiration for your obvious dedication, your knowledge, and your continued preparedness to help those of us who need it.  It must be very frustrating for you to be mostly answering questions that have been answered before; if only we knew where to look or the correct terms to search for. Also, the less we know, the less likely it is that we will provide the right info for you to answer accurately - that must be difficult too.

It is just that sometimes I think you must come across to the new reader as rather cranky and unhelpful.  It would be a shame if some people gave up on a great piece of software because they were scared to ask questions for fear of being chewed out.  Silly as it may sound, I nearly did not post my question re this virus/malicious hack because I didn't want to be ripped to pieces for what might have been a false alarm or just a silly mistake on my part :-\ Of course it would have reduced your workload by one post, but might have denied you/others an interesting piece of information.

Anyway I very much look forward to your observations re the attached file.

Cheers

Richard

Joachim Müller

OK, as I expected that file is not directly related to coppermine, but just the payload of the attack. The attacker managed to upload it (one way or the other, impossible to figure out by looking at that script). What that script does is trying to open a shell or find other vulnerabilities or backdoors (like silly, trivial passwords).
That file won't help you figure out how your site was hacked in the first place, but it gives an indication that the attacker may have gained access to even more sensitive data. You need to sanitize your webspace extra thoroughly and you need to alert your webhost of your findings.

You said in your initial posting that you're currently running cpg1.4.19, but that the incident (the infection with the above mentioned shell script) happened in May this year with an older version of coppermine. Is that correct? If yes, then we can not figure out if the attacker used one of the known vulnerabilities in older versions or if he used a genuine, new one that we're not aware of, so your report is well-meant, but doesn't help us, nor does the warning you issued helpp others. Be adviced though that "just" upgrading won't be enough. You need to thoroughly clean your site. Refer to the sticky thread Yikes, I've been hacked! Now what? and do as I suggested above: seek support from a pro, preferably your webhost.

arjay

Many thanks for the advice - I'm on the case.  It actually must have happened with my previous host as I moved the site to a new host which is when i discovered the problem (when downloading and uploading the contents of the website).  So I will inform the previous ISP as well.

Regards

Richard