HEAT

Some of my sites that using TGPX, TEVS and Comus thumbs are getting malware injection attack. One of my dedicated servers got hit by malware distributer.
Below code is injected right after the body tag of html, tmpl and some php files.

I wonder if any you guys had the same experience and any luck at detecting and removing it permanently? After throwing out my pc, uploading AVG and Spybot, changing all my passwords, dropping FTP in favor of SFTP I'm now taken up the process of manually removing the code above.
But they are constantly adding this JS code even if I removed it...

Since the box is unmanagged, Maybe I will have to reload server OS and restore whole files from backup. but I'm worry about the backup is infected as well..

Beware guys, check your server security, file/dir permission etc. also your PC is not safe as well. Install a good anti-malware and don't save password at your local ftp client.

http://www.webhostingtalk.com/showth...rame+injection

__________________
254-282-542

asianseekerz

change your index page delete the page having that code, then change all your access

__________________
LUSTY LIFES : Dad & Daughter Wild Adventures : Naughty Wild Sister
Contact : ICQ : 372109
Email add: [email protected]

notime

Is it this one?
forums.digitalpoint.com/showthread.php?t=901622

k0nr4d

This is usually caused by a virus on your computer. Have your host check ftp logs, and i bet you will have a bunch of unknown logins. These viruses append this code to any file named index.php index.html etc.

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

katharos

i am amazed how much webhosts have easy to hack ftp logins ...

BestXXXPorn

If it's not caused by your own computer it may be also be caused from something on your site...

If you have photo uploads... it's possible someone has uploaded a fake image that is actually running code...

You may also have your permissions set wrong on the files on your server allowing someone to exploit your box and add things to the content...

__________________
ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

qxm

U on a windows server? ..... At any rate.... u shouldn't be using AVG .. that shit is crap (yeah redundant I know), I got infected by 9 types of trojans, malware, fuckware and 666-satanic-ware and viruses while using it and the piece of crap didn't detect any problem at all.... so u better use something with better heuristics ... Avira or Avast

Good luck getting that code outta ur sites 2 ...

__________________

directfiesta

maybe you should replace " webhosts " by " webmasters "

__________________
I know that Asspimple is stoopid ... As he says, it is a FACT !

But I can't figure out how he can breathe or type , at the same time ....

Davy

Do yourself a favor and find the security hole before you fix the site.
You need to find how they got in (assuming they hacked your server).

__________________
---
ICQ 14-76-98 <-- I don't use this at all

HomerSimpson

here's my guide:

step 1: update your adobe reader to latest version (9.xx) or even better remove it and put FoxIt Reader (much smaller and faster).

step 2: update flash player plugins for IE and FF

step 3: download 2-3 anti-spyware softwares and check your computer

step 4: once you are clean login and change all your paswords and fix the sites.

step 5: monitor what's going on...

- - - -

extra steps

* Download and use Total Commander 7.5 that has password encryption option that makes your passwords safe (this I haven't found on any other software and that's the weakest point of most of ftp clients)

* always have anti-virus, firewall and anti-spyware app active (I use Nod32 Smart Security AV+FW + AdAware)

* use only firefox and chrome instead of IE

all mentioned software you may find and download at http://www.filehorse.com

__________________
Make a bank with Chaturbate - the best selling webcam program
Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!

PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:

Spudman

Dude its a comus thumbs issue as far as i'm aware. I'm currently deleting all my comus installs (over 40) and replacing the script with a new one as i have been hit with this hack 3 days ago and still fixing it.
I have used comus for over 5 years and these hacks are all to regular these days, they never update comus and its going to the shit so i would delete it and rebuild site with new script.

my 2cents

__________________
Take it Easy !!!

katharos

webmasters also, but i mean there are no limits in bruteforcing ftp, you can have one proxy and bruteforce to the infinity

TGThomas

Where you using Filezilla to upload? i know a while back their was a problem with that program letting a virus in to change your .php files

__________________
You can contact me via the following:

AIM - playazdb0y
ICQ - 459454282
Email - [email protected]

split_joel

Okay a few things here,

what scripts are you running on your server. Are you running joomla? What are the directory permissions of your php files? Hit me up on aim or icq if your host isnt going to fix it for you, as I hate people that hack sites more then anything on the face of the damn planet.

__________________
E-mail marketing - Automation Scripting - IP Space
AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

HEAT

Not sure but looks like it.

__________________
254-282-542

HEAT

When the script is executed(I visited a infected site accidently yesterday. I guess) it loaded malware which disguised as .pdf or .swf file that steals username/password data from PC.
The malware is hosted at another infected site and loaded via iframe then excuted on the browser.
Now the hacker got my site's login and infected my sites too.
I don't know how he connected my box though. I guess he's using remote script that doesn't leave log info.

Even if I remove those malwares in my PC and change ftp password, the hacker can get my new password easily since I had to load my sites to check.
So it is very important that never load the sites during troubleshooting.

This is what I did and seems like the code is gone finally. but still monitering..
1. reboot PC and scan it for spyware.
2. reboot again and change all server passwords.
3. remove the code from all server files(index.html, category.html, index.php, etc..) with serverside text editor.
4. Never load infected webpages on browser during #3.
5. install mod_security and change file permissons.

This thing reminds me of BackOrifice at 98'. It's the most annoying fuckware I had ever. it passed mcafee.
Remember to use a good antivirus on your PC. I had good result with Malwarebytes.org

Thanks for advices.

__________________
254-282-542

borked

and another reason to not use ftp, but sftp....

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

HEAT

Yep. looks like Comus is gonna dead soon. lots of security holes and no updates.
also going to drop it asap.

__________________
254-282-542

HEAT

No joomla and running various TGP/tube scripts. Permissions were set to 755 for directories and php files had varous permissions as I followed script manuals.
most are 644, data/tempates dir and files were set to 777.
I changed lots of files to 444 for monitering.
will contact you if I get codes again. Thanks!

__________________
254-282-542

Spudstr

this exploit is going around and it seems to be comus is the problem from watching the audit logs and investigating. Even if a server has comus installed unless setup with 1 domain per login etc due to permissions i.e having 777 on things you should not it will infect a whole mess of files and leave backdoors everywhere.

__________________
Managed Hosting - Colocation - Network Services
Yellow Fiber Networks
icq: 19876563

Klen

Welcome to the club,my one old unsecured machine is also hacked with completely same crap.I working now on removing it.And yes i do have several comus installations there.But i dont see how can comus bug affect all possible sites,no matter are they based on st,tgpx or something else(and i have all three rotator scripts installed)

smoothballs

Yep my Comus sites are hacked too for the last couple of days....fucking me off thinking how many will not return cos of warnings thrown up by their anti virus....already had a email from google saying they have tagged my highest traffic site with a "this site could harm your computer" in their search pages...just waiting for more emails from them for my other comus sites!

Klen

Ugh and problem is code appear again once it's remove,first i tried chmod 644,then chown to apache,and still it shows again.Well if it comus problem then only solution would be to completly delete all comus installations.

Spudstr

Anyfile that is set to 777 or owned by apache/httpd can be edited by the exploit.

__________________
Managed Hosting - Colocation - Network Services
Yellow Fiber Networks
icq: 19876563

Klen

Well i set index.php to 644 and it's not helping.

smoothballs

thing is, I dont see any malicious code in view source...just the anti virus pop up warning...after a refresh dont get any warnings at all...

area51 - BANNED FOR LIFE

look at all the morons in here

smoothballs

heres a quote from my hosts when I told them not to bother scanning my sites as it looks like a comus issue...

"Yes, Comus Thumbs has been causing a lot of issues lately "

Klen

Ok so we concluded comus is cause of this?So i can start removing it.

smoothballs

looks like there is only one moron in here who cant contribute anything...was that the most intelligent thing to come out of your mouth since Einstein's dick????

notime

I had it on my server so I know.
It happened when I was on the plane to the Montreal show.
That sucked but it was resolved in like 20 mins. after I found it and it was fixed by the programmers and system engineers.

BestXXXPorn

"But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware."

Hahhahaha not only does it serve up malware, it serves up malware faster and more efficiently, hhahahah man that really cracks me up in a very geeky way, hahhhaha

__________________
ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

notime

I don't have comus or use it.

The infection did not even take place on any of my office PC's, but in the office a few blocks down the street where the designers and programmers have the office.
One guy there had an infected PC that had FTP access to one of my servers. Not sure if they use comus or not but I don't think so. Infection takes place thru adult infected websites in all popular browsers without anti-virus programs seeing it.

Hidden custom build (FTP) logs show somebody using my FTP user/pass without brute force entering and adding some files and making some changes similar to all infected victims.

BestXXXPorn

Setting to 644 alone won't help you... What is the owner and group of the file? If it's set to the same as the webserver runs as then any exploit which is passing through your webserver will have full access to the file...

If someone has already hacked your box you have way more issues to worry about... First things first:

http://www.rootkit.nl/projects/rootkit_hunter.html

Download it, install it, run it, then you can rule out most root kits and learn if your box has been compromised or not...

If it has, you know the problem... if it hasn't then you can move onto the next step.

GL!

__________________
ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

V_RocKs

Actually, old Comus is hackable... These are usually NOT FTP access problems and are problems with PHP scripts being hackable.

Klen

That was first thing which i did,but it didn't find any rootkit installed.Also i just noticed javascript on comus sites and on other it's not same.

Klen

Here are copy pastes of java script codes:
http://pastebin.com/m53fc9126
http://pastebin.com/m1b861dd8

Spudman

All My sites were hacked through comus, If you use comus, I advise deleting it and using another script, this appears to be only fix for me :2cents

__________________
Take it Easy !!!

HEAT

Found this from Webhostingtalk.com

It a solution for malware injection attack.
Then again, It' not recommended to install unreliable php scripts anyway..

__________________
254-282-542

Klen

Well first thing which i did is to disable completely ftp but that didnt helped anything.Anyway my computer was not compromised since i am not using ftp at all,only sftp.

BestXXXPorn

My favorite exploit is the fake image upload that has a correct image header...

If the image gets stored "as is" the first line of it is <?eval($_REQUEST['someVar']?>

If the host is configured to parse image files (tracking, dynamic images, etc...) anything they pass in to the request gets evaled... so elegant, so simple, so devastating...

__________________
ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

escorpio

Anyone heard from Comus regarding this problem? Is a fix being worked on or should I change scripts?

__________________
Unvaxxed, still alive.

sandman!

i think you might need a managed host.

__________________
Need WebHosting ? Email me for some great deals [email protected]

boneless

i consider myself at this point the ex tech support of comus. i worked for five years and the last year and the first year i had to cover for tony a lot.

ATM this is where we stand, im not saying comus is the prob but it is most likely the cause of all probs.

Comus license key admin login page file is broken atm, one of the things that happened to my girlfriend wordpress site during the hacks.

tbh with you guys, i myself am ditching comus as my script and am going for an alternative. For now its smart thumbs, and as i got over 100 comus sites i got a long and hard task ahead to switch em all over.

Im really hoping that all is well with tony but since i havent heard or seen him online in the past three weeks makes me wonder what the fuck is going on.

I hope im not getting loaded with 1000s of messages on my icq...

thnx yall,

Ed

__________________
icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

Major (Tom)

Just a conjecture here, but that wont work. I've seen enough stuff attempted on my boxes and its always a hole in the script. remove the scripts and your ok. It's not really an access thing. Changing the locks on your front door is pointless if you leave the windows open.
Duke

__________________
My mother said, to get things done
You'd better not mess with Major Tom

beta-tester

I am not sure how can you be so sure that actually comus is the root of your problems? I am using comus too, but with tightened security on the server itself and with my OS security I never get hacked, neither get into troubles with any of my sites.

This time I haven't been affected by this comus hack (which I think is not comus hack, just a malware insertion) and my sites are running smoothly.
The only thing I don't like about comus is that its admin interface loads iframe from their website, so if their website has the malware, then technically every site that runs comus has it too.

To get rid of malwares and to actually avoid getting them, just install normal os, like Linux, or buy Mac.

Oh, and just one remark: before doing anything on your own, have host run clamAV on your box/v. acc. and scan for potential infected files, as well as run the rootkit detection tools. Then it's your turn to make your own box clean and more secure.

Good luck!

__________________

My contact:
ICQ: 944-320-46
e-mail: manca {AT} HotFreeSex4All.com

Naughty-Pages

Agreed.... it's comus, but even after you kill Comus, you've got to check every site on the server comus was on even if the site is not using Comus... (I've got 14 sites so far that were affected )

__________________

tranza

Look at your .htaccess and check if it's everything working nicely.

__________________
I'm just a newbie.

Altwebdesign

ive had this before!!
Webair reverted my sites abck before the infection and changed all ftp info

HEAT

Old thread. Yes I was wrong. it's a Comus thumbs hack. No ftp password issue.
I misunderstood it was another iframe injection attack that caused from viruses on local machine. I installed mod_security then it stopped code injection but I thought it fixed by removing viruses on my PC.

Anyway it's completely fixed by removing all backdoor scripts and infected files.
If anyone still faces this froblem, refer this thread.
http://www.gfy.com/fucking-around-and-business-discussion/928915-secure-delete-comus-installation-html-php-files-server-infected.html

__________________
254-282-542