Authenticate?

[sandramichelle]

When trying to change some configuration settings, I click on "save new configuration" and come to a screen that says "Authenticate" with a box for user name and password.  I put mine in, and it goes back to my home page and the changes have not been made.

Can anyone help me with fixing this, please?  I have looked through the forum but if this was touched on in a prior post, I couldn't locate it.

Thanks!

[Nibbler]

Can you post a screenshot of this? Doesn't sound like part of Coppermine to me.

[lumo]

HI, I've got the same problem since today!

Yesterday, I didn't see my Captcha Image anymore. I disabled Captcha via PHPAdmin in order to be able to login. Then I removed Captcha with the Coppermine Plugin manager. Now, when trying to make changes to my Coppermine settings, this "Authenticate" screen appears. And no changes are accepted.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww11.file-upload.net%2Fthumb%2F29.11.08%2Fmpdmk2.gif&hash=c36cbbd55fc7bfdef4e6c6f4a5c2d2f0a9c86170)

Please help!

lumo

[lumo]

Screen after pressing submit button on authenticate screen:
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww11.file-upload.net%2Fthumb%2F29.11.08%2Ffo5eg.gif&hash=98c1a2a7c68ccca061f91f8b297f08797133a0ba)

lumo

[Nibbler]

Can you zip up your admin.php and attach it to this thread please. Is your gallery up to date?

[lumo]

I've just updated to last version.

Here's the admin.php:

http://www.file-upload.net/download-1284208/adminphp.zip.html

btw: How can I edit posts?

greetings
lumo

[Nibbler]

You can't edit posts. Please attach files to the thread instead of using some other website.

I wanted the version of admin.php that gives you this 'authenticate' box not the clean 1.4.19 version.

[lumo]

Sorry, I'm new here. This is the admin.php i downloaded from my Coppermine directory. Are there different admin.php in the directory?

How can I attach a file properly?

Cheers 
lumo

[lumo]

Okay, I found out how to attach.

lumo

[lumo]

Hi Nibbler,

any idea what's the problem here?

Greetings
lumo

[Nibbler]

The attached file is the 1.4.19 version again. Do you actually have the original?

Could be some other script interfering (possibly accidentally), or a hack to steal admin passwords.

[lumo]

So then, would it be better to set up a whole new gallery and delete the old one, that is, make a new install rather than an update?

Concerning the admin.php, as I told you, I downloaded it directly from the coppermine folder (cpg148) on my webspace. I made the update to version 1.4.19 yesterday. So why are you astonished about the admin.php version?

I guess this is the only admin.php file which should be situated in the cpgxxx directory, isn't it?

lumo

[Joachim Müller]

You probably have been hacked before performing the upgrade - your issues sound familiar: read up http://forum.coppermine-gallery.net/index.php/topic,56516.msg276234.html#msg276234 - the user there reported the very same thing.
Please note that upgrading a gallery that already was hacked won't make the hack go away - you have to sanitize your entire webspace.

[lumo]

Hallo Joachim, danke für den Hinweis. Ich mach jetzt erst mal ein Backup von meinen htdocs.
Die Galerie kann ich nicht auf Wartungsmodus stellen, weil ich ja nichts verändern kann. Ich denke, ich werde von Grund auf alles neu aufbauen.

Hi Joachim, thanks for your hint. First, I'm going to make a backup of my htdoc files. I can't set the gallery into maintenance mode because of the (assumed) hack. I think I'll need to rebuild everything.  :'(

lumo

[Joachim Müller]

It doesn't hurt if you can't put the gallery into maintenance mode. Skip that step from the sanitization instructions - it is only meant to make sure that the content of your gallery doesn't change during sanitization because of users uploading images. Starting from scratch will not automatically sanitize your webspace. The attacker may have left behind a backdoor somewhere outside of the coppermine folder. I strongly suggest that you sanitize as suggested. Only English please on this part of the forum.

[lumo]

May I post my first results of sanitization?

• "anycontent.php" is unchanged, although it was supposed to be. Maybe when updating to 1.4.19, I made the mistake of ovwerwriting the previous file.
• in /docs/pics I've got a file named "bridge_02_app.gif" which should not be there
• in /include I've got three unexpected files named "vote.php", "readme.txt" and "exifReader.inc.php". The "config.inc.php" was changed, I found a string of program code in it, beginning with:

Code Select Expand

<? /**/eval(base64_decode('aWY

, my database acces data left at the end of the string.

• in /logs I've got a surplus file named "security.log.php"

I moved all the corrupted (?) files to a new folder before changing or deleting them.

I replaced the messy content of config.inc.php with the text which was proposed by Joachim, and adding my data instead of the XXX placeholders.

Code Select Expand

<?php
// Coppermine configuration file

// MySQL configuration
$CONFIG['dbserver'] =                         'xxx';        // Your databaseserver
$CONFIG['dbuser'] =                         'xxx';        // Your mysql username
$CONFIG['dbpass'] =                         'xxx';                // Your mysql password
$CONFIG['dbname'] =                         'xxx';        // Your mysql database name


// MySQL TABLE NAMES PREFIX
$CONFIG['TABLE_PREFIX'] =                'xxxx';
?>

Would anyone be so kind (I know well that you are all very busy) and analyze the content of the messy config.inc.php in order to find out, what it does?

I'll continue, if I may.

Yours
lumo

[lumo]

I forgot one thing:

In the /include folder, "install.lock" was not empty. It contained the text "locked"

[lumo]

Report continued:

• Removed suspicious files from server (look above)
• replaced config.inc.php on server with "clean" version"
• replaced install.lock on server with "clean" version"
• made database update

Result: "Authenticate" screen still appears. Damn!

Then I did the following:

As I knew I had no plugins installed, but there were a lot of them (uninstalled ones) in my plugins folder (don't ask me how or when I got them ...), I decided to remove all of them.

• Removed all uninstalled plugins with the pluginmgr.php
• Tried to make changes in my config table
• Success! No more "Authenticate" window opening, config changes are accepted.

So how to continue now?

Yours
lumo

[lumo]

Note:
Also the file "themes.php" in my customized "gray satin" theme was affected. At the beginning of the file, I found some code that should not be there. I replaced the file with an original version of "themes.php". Are you interested in the code that was smuggled in? Tell me, so I could post a screenshot.

Thank you very much, Joachim!

[Joachim Müller]

No thanks, the payload is unimportant for us, as it may differ on the next attack.