Need a Fresh Copy of CPG 1.6.07 Need a Fresh Copy of CPG 1.6.07
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Need a Fresh Copy of CPG 1.6.07

Started by nowordneeded, December 09, 2019, 07:25:44 PM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

nowordneeded

I had another hacking on my site(s) and need a fresh copy of the above version. I'm running the current stable version of 1.6.07 on http://winston-duke.com where the hacking has happened....AGAIN!!!

Is this available?
Sometimes my musings are too confusing for someone not inside my head.

ron4mac

You can just run the cpg_installer_stub again.

ron4mac

#2
Quote from: nowordneeded on December 09, 2019, 07:25:44 PM
hacking has happened....AGAIN!!!

See my post here regarding the file_check plugin and site hacking.

It is likely the Wordpress part of your site that is the point of attack. You need to get the Wordpress security issues fixed.

nowordneeded

Ron:

I've used the checkfile plugin. It's detected only a few corrupted/hacked files. What I want to do is to delete all copies of the installation and install a clean copy within the gallery directory. That will solve anything regarding those files where the injection has happened in inside say the index.php or config files. The checkfile picks up only those extra files inside directories with file names like pxfwrs, but not the direct editing of the <? php> code inside actual files. Those you have to go through individually if you don't have a malware scanner doing it through Wordpress.
Sometimes my musings are too confusing for someone not inside my head.

nowordneeded

Ron:

Further as to the cpg installer stub, it doesn't overwrite. I've still found injections inside files not caught. Again the Wordpress malware scanner is the only thing that can tell you which files are hacked and only then can you delete the files directly, or edit them. Having a clean actual copy of cpg1.6.07 will help in that I can directly delete the entire set of files form the old installation and begin again with the new. The only way I could do it is to delete the 1.6.07 files, ftp the files from 1.6.06 and then upgrade, but I think that would do wonky stuff to the database.
Sometimes my musings are too confusing for someone not inside my head.

nowordneeded

Ron:

Further again. I've got two accounts on different hosts. One has a Cpanel with a scanner inside the cpanel where you can run frequent scans on your own sites. The other just has a dashboard without all the tools needed to keep your site(s) clean and functioning well. The gallery and sites I posted about here are on the dashboard host. The others I have are on the Cpanel host. And yes, the Wordpress part is the issue. I had virus protection and firewall on those sites and they were still hacked. The others on the other host with the Cpanel haven't been touched and this hacking has happened twice since I signed up to the other host with the Cpanel. The same plugins and other files are on the Cpanel account as on the dashboard account. I wrote to the Cpanel account people and they said the other one is not able to protect, therefore I'll keep having these issues. Problem is most of my domains are there and I can't afford to move them to my Namecheap account for safe keeping. I'll have to move them as each one comes due for renewal. This I'm doing as they come up.
Sometimes my musings are too confusing for someone not inside my head.

ron4mac

#6
As long as there is nothing wrong with file permissions, the installer stub does overwrite files. But if you need a full copy you can find it here.

The site/file scanner I use will check for file changes or file additions. I wrote it with MD5 checking capability but I never use that. It has been sufficient to check file sizes for any changes. Site hacking usually takes place over a number of days. Scanning daily will catch a hack before it has time to fully develop. I'll attach the PHP script I use.

Basic operation is run the file and create the tracker snapshot. Subsequently, run the file to perform a check. It can be run from a cron job daily and email results.

Let me know if you need help using it.

nowordneeded

Ron:

Thank you for the fresh copy. That will help me out greatly.

As for your scanner, I'll take anything that will help keep these sites on the one host clean. I'm tired of having to do this every two or three months, which is what it's been. So serve it up.

Thanks.

Sometimes my musings are too confusing for someone not inside my head.

nowordneeded

Ron:

Could you tell me how to use the trackercron you provided?


Thanks.
Sometimes my musings are too confusing for someone not inside my head.

phill104

In addition to Ron4mac suggestions there are a few other things you can do.

First is to install a tool such as maldet https://www.google.co.uk/search?source=hp&ei=4H_vXYykFI3hUsiiv5AL&q=linux+maldet&oq=linux+malde&gs_l=mobile-gws-wiz-hp.1.0.0j0i22i30l4j33i160.1781.6923..8627...2.0..0.104.811.12j1......0....1.......0..0i131j46i131j46j0i22i10i30.0lCOoRzJ7eg on your system. You will need command line access but with it you can do a scan and hopefully pick up what is going on. It really looks like the Wordpress side, but once you have a hack in there it can be a dog to track down and gives the full behaviour you are seeing. The reason it is repeating over and again is there will be files you have missed. The hackers are very clever at hiding their crap. Shame really as some are very talented people who could make a very good and honest living from their skills.

If you cannot run maldet, try downloading a copy of your entire site to your local machine and running virus and malware scans on there. Often you can find iffy files that way.

Once you have located all the hacked files be sure to change all your passwords including your database credentials.

We've all been there and experienced similar to you. I've had Wordpress and Joomla sites hiring the past and it was no fun finding the issues at 2am after a long day at work.
It is a mistake to think you can solve any major problems just with potatoes.

ron4mac

Quote from: nowordneeded on December 09, 2019, 11:16:25 PM
Could you tell me how to use the trackercron you provided?

Put the file (as a .php file) in the root of your site. Run the script from a web browser. It will display the names of directories; the top one being the directory just below the document root. Select that directory and click on the Create Track Profile button. That directory should now have a checkmark next to it, indicating that there is a profile for it. Usage now is to select a profiled directory and click Check to verify that files haven't changed and there have been no added files. You would have to run it manually on a regular basis. If run as a cron job, you can have results emailed to you (see the top of the php file for more info).

Using this method on my Joomla sites has saved me from a couple hacking attempts. When an unexpected change was detected, I was able to undo the changes made. Then, scouring through the access logs, looking for suspiciously large gets/posts, I was able to determine what Joomla extension was being targeted. The same is true with Wordpress - a mod/plugin with a known vulnerability is targeted. As long as that mod/plugin is continued to be used (as is), the hacking will recur.

nowordneeded

Phill:

I will try that method. What do you mean by "shell access"? Is that access to my computer or to the server my site is on? One thing I should tell you on the one host that keeps getting hacked, they don't have a CPanel. It's a simple dashboard. I'll include a screenshot so you know what I'm talking about. I've talked to other webmasters who run sites similar to mine and they've said their sites are on hosts with Cpanels. I'm thinking the Cpanel hosts are more secure as I've not had an issue on that host since I signed up six months ago. I've had nothing but trouble from the host with the dashboard. This is about the thousandth time I've been hacked in the last three years. Exaggerated I know, but true. I seem to ge things cleaned up then breathe a sigh but then no more than about a month or two later, I'm back into cleaning them up again.

As for downloading my entire site and scanning I've done that with Malwarebytes and my Bitdefender. The sites when I've reuploaded them have been spotless. Nothing wrong because I've used clean copies of Wordpress and Coppermine. I've also used clean plugins from the Wordpress plugin installation screen. Using the file_check Ron gave me, I've been able to make sure there is nothing in my albums file. That has been my only concern, that and the uploads directory of Wordpress. But then I've gone through manually and visually checked all directories within the uploads folder including any of the folders I've created. After I make sure all the important stuff is saved and then I check my databases for anything that looks a little suspicious. I then delete the sites and start from scratch. The webhost I'm having the issues with suggested that, and I told them that's what I do. Yet I'm getting hacked again. They're blaming it on me and not their shoddy dashboard. They got bitchy when I told them while I've been with the other hosting company nothing has happened. So at this point I'm not sure what I can do other than what I've done in the past.

NWN
Sometimes my musings are too confusing for someone not inside my head.

nowordneeded

Quote from: ron4mac on December 10, 2019, 01:45:50 PM
Put the file (as a .php file) in the root of your site. Run the script from a web browser. It will display the names of directories; the top one being the directory just below the document root. Select that directory and click on the Create Track Profile button. That directory should now have a checkmark next to it, indicating that there is a profile for it. Usage now is to select a profiled directory and click Check to verify that files haven't changed and there have been no added files. You would have to run it manually on a regular basis. If run as a cron job, you can have results emailed to you (see the top of the php file for more info).

Using this method on my Joomla sites has saved me from a couple hacking attempts. When an unexpected change was detected, I was able to undo the changes made. Then, scouring through the access logs, looking for suspiciously large gets/posts, I was able to determine what Joomla extension was being targeted. The same is true with Wordpress - a mod/plugin with a known vulnerability is targeted. As long as that mod/plugin is continued to be used (as is), the hacking will recur.

Okay Ron. I uploaded it to the root directory of this site: http://winston-duke.com and did as you said to get started and I received this error:


Warning: file_put_contents(../winston-duke.com.trackc): failed to open stream: Permission denied in /winston-duke.com/trackercron.php on line 62
Track file created for ../winston-duke.com

Checking the file line 62 has this:

file_put_contents($tdir.$trkext, json_encode($tracks, JSON_PRETTY_PRINT+JSON_UNESCAPED_SLASHES));

Basically there was an error. Not sure what happened there. But I did as you said.

NWN
Sometimes my musings are too confusing for someone not inside my head.

nowordneeded

One more thing Phill. I've done numerous scans of the site via a ton of malware/virus scanners via Wordpress. The one I've most recently used is pretty good and it's MalCure. It catches everything. So I know what files I need to look at in terms of the ones I want to keep. It will also scan Coppermine. I was able to get my Winston Duke site cleaned and am just downloading the albums in Coppermine and the uploads and other directories I need to keep before I delete the entire site and start from scratch.....again!!!
Sometimes my musings are too confusing for someone not inside my head.

phill104

By shell access I mean the command line. You appear to have that, SSH accounts seem available. SSH = Secure Shell.

The tool I mentioned is a  command line tool that does a virus scan. You can get it to run via a crown job and email the results or you can run it manually and check the results.

The too, Ron gave you looks great in that it can help identify the entry point. You probes cannot blame the hosting here, it is most likely a poorly written Wordpress plugin, or a file that is allowing entry  previously upgraded that the virus check tools are not picking up. As Ron says, his too, will detail the time the hack attempt starts and from there you can look at the servers logs to determine the initiator. It is a challenging task though, it may be worth your time to pay a Linux expert to work on this for you. There are a lot of tools built into Linux that can make tracking down issues such as this easier, but you need to know your way around them.
It is a mistake to think you can solve any major problems just with potatoes.

ron4mac

Quote from: nowordneeded on December 10, 2019, 07:27:17 PM
Basically there was an error. Not sure what happened there. But I did as you said.

I modified the script (above) to, hopefully, work okay on the document root of a server restricted such as yours.