GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected

hjnet · 09-25-2009, 03:18 AM

Just as a short summary how I got rid of this infection sofar

-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files

iptables -A INPUT -s 122.70.145.151 -j DROP

And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11

iptables -A INPUT -s 122.64.0.0/11 -j DROP

- Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available

- Next I've scanned my Server for for any INFECTED Files

grep -R "function Sym1" * > list_of_infected_files
grep -R "function STy6" * > another_list_of_infected_files

These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets.

- And finally get rid of the backdoor files:

grep -R "6966202873" * > list_of_backdoor_files

The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php

I hope that's it sofar, now it's time to tighten Server Security a bit more

09-25-2009, 03:18 AM
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Just as a short summary how I got rid of this infection sofar -At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files iptables -A INPUT -s 122.70.145.151 -j DROP And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11 iptables -A INPUT -s 122.64.0.0/11 -j DROP - Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available - Next I've scanned my Server for for any INFECTED Files *grep -R "function Sym1" > list_of_infected_files grep -R "function STy6" * > another_list_of_infected_files These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets. - And finally get rid of the backdoor files: grep -R "6966202873" * > list_of_backdoor_files** The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php I hope that's it sofar, now it's time to tighten Server Security a bit more Last edited by hjnet; 09-25-2009 at 03:22 AM..