Just as a short summary how I got rid of this infection sofar
-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files
iptables -A INPUT -s 122.70.145.151 -j DROP
And Spudstr from
YellowFiber also suggestes to block 122.64.0.0/11
iptables -A INPUT -s 122.64.0.0/11 -j DROP
- Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available
- Next I've scanned my Server for for any INFECTED Files
grep -R "function Sym1" * > list_of_infected_files
grep -R "function STy6" * > another_list_of_infected_files
These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets.
- And finally get rid of the backdoor files:
grep -R "6966202873" * > list_of_backdoor_files
The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php
I hope that's it sofar, now it's time to tighten Server Security a bit more
