compromised script, coppermine "gallery"

**thisisit3** · 11-09-2007, 06:05 PM

Today i noticed a large number of outgoing emails, along with high memory usage by exim.

Further investigation showed one of my clients was sending too many emails and most of them were bouncing back. The destination addresses seemed bogus or weird, like "dghd.com" domains which looked like they were made up randomly.

I looked at those emails waiting in the queue and they all contained XXX related stuff, so it was obvious the account of this particular client was vulnerable and was being used to send spam. I quickly suspended the account and contacted the responsible person by phone.

Interestingly, suexec along with open_basedir and the other protections prevented any further access to the server. Also, the attacker didn't manage to upload any custom scripts, like a remote control script.

Detailed investigation shows that the Coppermine gallery is rather popular and full of remote exploitable bugs. One of those bugs allows a remote person to use the PHPMailer script within the gallery to send spam. The script itself is so badly written that it makes me wonder if the authors made it like that on purpose, not a single check exists in the script to prevent remote access.

Anyway, all is ok now, the account is suspended and my client is looking for an alternative system to use in place of Coppermine.

**Vin DSL** · 11-09-2007, 10:00 PM

Originally Posted by thisisit3

Anyway, all is ok now, the account is suspended and my client is looking for an alternative system to use in place of Coppermine.

That's great! Nice going...

I rewrote Coppermine 1.1D. If your client would like a copy, or some pointers, let me know. Hasn't been hacked yet!

For my efforts, Coppermine Photo Gallery asked me to be on their official Dev Team (later threatened to sue me if I didn't take 1.1D out of my downloads) but I wasn't asnwering mails back then - and I was on the CPG-Nuke Team at the time (now CPG Dragonfly™ CMS) but I didn't have time for them either, and we parted company.

Anyway, there's nothing wrong with CPG that can't be fixed! I'm surprised you don't have a How-To...

**thisisit3** · 11-10-2007, 02:40 AM

how-to... heh

i can't maintain every buggy software out there, i've got a real life.

i'll take a look at your custom version.

**wgiese** · 11-10-2007, 10:41 AM

Originally Posted by thisisit3

i can't maintain every buggy software out there...

I'm not suggesting one ignore code with known exploits, but why not run mod_security?

Configured correctly, it snacks on all the common PHP exploits. Combine it with a custom fail2ban rule, and you can drop the attacker dynamically as well.