View Single Post
Old 09-25-2009, 03:18 AM  
hjnet
Confirmed User
 
Join Date: May 2002
Location: European Union
Posts: 3,815
Just as a short summary how I got rid of this infection sofar

-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files

iptables -A INPUT -s 122.70.145.151 -j DROP

And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11

iptables -A INPUT -s 122.64.0.0/11 -j DROP


- Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available


- Next I've scanned my Server for for any INFECTED Files

grep -R "function Sym1" * > list_of_infected_files
grep -R "function STy6" * > another_list_of_infected_files

These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets.


- And finally get rid of the backdoor files:

grep -R "6966202873" * > list_of_backdoor_files

The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php


I hope that's it sofar, now it's time to tighten Server Security a bit more

Last edited by hjnet; 09-25-2009 at 03:22 AM..
hjnet is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote