My members pictures mysteriously deleted My members pictures mysteriously deleted
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

My members pictures mysteriously deleted

Started by ChristieLuv, January 22, 2010, 04:12:08 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

ChristieLuv

Hi! 2 of my members are saying their images were deleted and they themselves didn't delete them. One member had over a hundred images that were deleted. They said they were not fiddling with anything which may lead them to being deleted. All they know is one day they had images and then later they came back to find they were gone. I wasn't even at the site during the time they said they uploaded them and when they came back to find them deleted.

I changed my admin password, but I was wondering if this could be caused by anything else? It seems weird someone would hack my site just to delete images in 2 peoples albums.

One member said only the images in their first album were still there, while I'm waiting for an answer to see if the other member had the same thing happen to them. Maybe that could give a clue if both members first albums were spared.

Here is the gallery:
http://www.pixprincess.com/cg/ not safe for work edit- JB

I appreciate any help you can give!  :)

Jeff Bailey

Thinking is the hardest work there is, which is probably the reason why so few engage in it. - Henry Ford

ChristieLuv

Oh thank you! Yes the site may have adult images on there.

Also I'd like to clear up that albums were not deleted, however the images in them were. I think that may have been confusing from my first message.

Joachim Müller

You are running an outdated version on your site that contains known vulnerabilities. Due to your reluctance to upgrade you might have gotten hacked. Do as suggested in the thread "Yikes, I've been hacked! Now what?". Your theme appears to be broken as well - I can see a template error.

ChristieLuv

Thank you so much Joachim! I'll upgrade as soon as I get the chance and look at the Yikes! thread. I've been meaning to fix that template error too. *blush* I guess I could resolve the thread after I upgrade and if nothing seems to happen after that. Thanks!

:)

ChristieLuv

Oh actually my README file says a have version 1.4.25 and when I go to the download page it says the latest version is 1.4.25.

http://sourceforge.net/projects/coppermine/files/

Is there a new version inside 1.4.25?

Thanks!

Joachim Müller

You probably haven't performed a full upgrade, as part the code was showing as an older version of coppermine when I looked the last time. It doesn't hurt to perform the upgrade again. Anyway, if you got hacked, upgrading alone won't cure your issues, that's why I said you need to read the Yikes-thread and do as suggested there.

Currently, cpg1.4.25 is the most recent stable release.

ChristieLuv

Ah okay. So now I've upgraded and I'm almost finished with the Yikes! thread, I have to wait till tommorrow to be completely finished. I think I fixed the template error.

I haven't found anything that can be considered hacking code yet, but I've got to wait to see if it could be from other software I have on my site.

My 2 members told me there images also were deleted slowly over a period of 1 or 2 months. I think its weird that a human hacker would do that. If someone hacked in, why not delete all of them at once? So I think it may have been some sort of bot hacker or maybe an error in the code. I'm not sure though.

Joachim Müller

I had the impression that you had more than two members. Anyway, by reviewing the the server's log and doing a diff comparison between your old database backup and a current one you can figure out what happened.

ChristieLuv

Thank you Joachim! I'll do that as soon as I can. I do have more than 2 members hehe. Its just that we have only heard of this issue from 2 members though. I'm sending out a notice today to see if this has happened to anyone else though.

One thing I noticed, the userpics folders and files were 777. Would that probably be how the hacker did it? If it was hacked anyway.

Though the reason I had them that way was, if I set the folders to 755 people get an uploading error when they try to upload. It will say "Impossible to move." I set them that way a long time ago, that is why I just remembered.

Is there anyway to set them to 755 without getting an upload error? My web host said I needed to find a way to make them 755 because they think it is a big security hazard.

I followed the upload error instructions here:
http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upload_trouble

The debug message below is what I got. I'm not sure if I should make this a new thread, but I'm thinking it may be related to how I got hacked, so thats why I posted it here. Just let me know if I need to make a new thread.

I also made you an account like the upload error instructions said to do:

Username: coppermine
Password: coppermine123

Debug Message:
...............................................................

Selected album does not exist or you don't have permission to upload in this album

File: /hsphere/local/home/socuteanime/pixprincess.com/cg/db_input.php - Line: 299

USER:
------------------
Array
(
    [ID] => 7ee799f7ec7e3501058ec34e8caddc56
    [am] => 1
    [lang] => english
    [liv] => Array
        (
           
  • => 4934
                [1] => 6306
                [2] => 6311
                [3] => 6372
                [4] => 6312
            )

        [lap] => 3
    )

    ==========================
    USER DATA:
    ------------------
    Array
    (
        [user_id] => 1441
        [user_name] => baby22
        [groups] => Array
            (
               
  • => 2
            )

        [disk_max] => 30720
        [disk_min] => 30720
        [can_rate_pictures] => 0
        [can_send_ecards] => 0
        [ufc_max] => 0
        [ufc_min] => 0
        [custom_user_upload] => 0
        [num_file_upload] => 1
        [num_URI_upload] => 0
        [can_post_comments] => 0
        [can_upload_pictures] => 1
        [can_create_albums] => 1
        [has_admin_access] => 0
        [pub_upl_need_approval] => 0
        [priv_upl_need_approval] => 0
        [group_name] => Registered
        [upload_form_config] => 0
        [group_quota] => 30720
        [can_see_all_albums] => 0
        [group_id] => 2
    )

    ==========================
    Queries:
    ------------------
    Array
    (
       
  • => SELECT extension, mime, content, player FROM cpg14x_filetypes; (0.001s)
        [1] => select * from cpg14x_plugins order by priority asc; (0s)
        [2] => delete from `socutea_pixie`.cpg14x_sessions where time<1264546826 and remember=0; (0.017s)
        [3] => delete from `socutea_pixie`.cpg14x_sessions where time<1263340826; (0.011s)
        [4] => select user_id from `socutea_pixie`.cpg14x_sessions where session_id = 'b343f262e97e1fa579872c941debd7b6' (0.001s)
        [5] => select user_id as id, user_password as password from `socutea_pixie`.cpg14x_users where user_id=1441 (0.001s)
        [6] => SELECT u.user_id AS id, u.user_name AS username, u.user_password AS password, u.user_group+100 AS group_id FROM `socutea_pixie`.cpg14x_users AS u INNER JOIN `socutea_pixie`.cpg14x_usergroups AS g ON u.user_group=g.group_id WHERE u.user_id='1441' (0.004s)
        [7] => SELECT user_group_list FROM `socutea_pixie`.cpg14x_users AS u WHERE user_id='1441' and user_group_list <> ''; (0.002s)
        [8] => SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as  priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (2) (0.003s)
        [9] => SELECT group_name FROM  cpg14x_usergroups WHERE group_id= 2 (0s)
        [10] => update `socutea_pixie`.cpg14x_sessions set time='1264550426' where session_id = 'b343f262e97e1fa579872c941debd7b6' (0s)
        [11] => SELECT user_favpics FROM cpg14x_favpics WHERE user_id = 1441 (0.005s)
        [12] => DELETE FROM cpg14x_banned WHERE expiry < '2010-01-26 18:00:26' (0.004s)
        [13] => SELECT * FROM cpg14x_banned WHERE (ip_addr='76.186.111.89' OR ip_addr='76.186.111.89' OR user_id=1441) AND brute_force=0 (0.001s)
        [14] => SELECT aid FROM cpg14x_albums WHERE visibility != '0' AND visibility !='11441' AND visibility NOT IN (2) (0.001s)
        [15] => SELECT category FROM cpg14x_albums WHERE aid='0' and (uploads = 'YES' OR category = '11441') (0.037s)
    )

    ==========================
    GET :
    ------------------
    Array
    (
    )

    ==========================
    POST :
    ------------------
    Array
    (
        [album] =>
        [MAX_FILE_SIZE] => 1048576
        [title] => My Title
        [caption] => Here is the description
        [keywords] => These are my keywords
        [event] => picture
    )

    ==========================
    Page generated in 0.191 seconds - 16 queries in 0.088 seconds - Album set : AND aid NOT IN (22,28,89,116,224,239,241,647,257,314,431,435,455,656,525,590,607,610,617,653,672) ; Meta set: ;

Joachim Müller

Quote from: ChristieLuv on January 27, 2010, 02:18:09 AMIts just that we have only heard of this issue from 2 members though.
And you don't consider the possibility that your users did something wrong or made a mistake and just think that data was lost? If a hacker would have managed to delete a file, the records would still be in the database and result in broken thumbnails.

Quote from: ChristieLuv on January 27, 2010, 02:18:09 AMOne thing I noticed, the userpics folders and files were 777. Would that probably be how the hacker did it? If it was hacked anyway.

Though the reason I had them that way was, if I set the folders to 755 people get an uploading error when they try to upload. It will say "Impossible to move." I set them that way a long time ago, that is why I just remembered.

Is there anyway to set them to 755 without getting an upload error? My web host said I needed to find a way to make them 755 because they think it is a big security hazard.
Not really. Read up Why chmod 777 is NOT a security risk

Quote from: ChristieLuv on January 27, 2010, 02:18:09 AMI followed the upload error instructions
No, you did not:
Quote from: http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upload_trouble
  • Set the upload form configuration for all groups to "Single file uploads only"
    • set File upload boxes to "1" (1)
    • set URI upload boxes to "0" (2)
    • set No. of boxes to "fixed" (3)
Quote from: http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upload_supportDo not post debug_output unless requested.
In fact you did the opposite: you posted debug output although we don't want you to do that and you haven't set the number of file upload fields to 1 - they are set to 7. Anyway, your issue doesn't appear to be uploads - you said that uploads work as expected, so why do you bother in the first place.

I already told you what you should do:
Quote from: Joachim Müller on January 26, 2010, 07:29:38 AMby reviewing the the server's log and doing a diff comparison between your old database backup and a current one you can figure out what happened.
Don't do other, unrelated things (like writting a message to your users). Do as I suggested.

ChristieLuv

Oh sorry about that! >.< Well I checked the logs for my website, however I couldn't find user activity logs. They were just logs on hit statistics, which didn't show individual pages the visitors went to either. I compared databases from different dates, though they were a week a part, it does show the users had less pictures than they had before.

Yes this could be something that the individual users did. I thought it was kind of weird that 2 different people reported the same thing at the same time. The point that they would have broken thumbnails if the pictures were deleted from the folder is a good point. Thank you!

I think I'll just wait to see if anyone else reports this.

I'll also show the 777 link to my web host, thank you for that link!

I think I'll resolve the thread if no one else reports this after a while.

Joachim Müller

Quote from: ChristieLuv on January 28, 2010, 09:33:39 PMWell I checked the logs for my website, however I couldn't find user activity logs.
You probably don't have access to the server's logs out of the box. Usually, you will have to ask your webhost to see them (or part of it). This isn't something in coppermine (coppermine doesn't log intensively enough for that purpose), but on webserver level.

ChristieLuv

Okay, thank you so much for your help! ^_^ I'll ask my web host and see what I can do.