HEAT

I think there are many varietal ones of this.
Are you getting the code back even if CT is removed completely??

__________________
254-282-542

Spudman

you will, i think it just uses CT to get onto your server, once its there you're fucked

I'm just about getting sorted but still have over 40 sites down.

Think this hack has taken about 10 years off my life i'm so stressed

__________________
Take it Easy !!!

boneless

down again, its been up and down pretty much all day

__________________
icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

beta-tester

maybe it's getting (D)DOSed? Because the host doesn't respond at all, which suggests a (d)dos attack...

__________________

My contact:
ICQ: 944-320-46
e-mail: manca {AT} HotFreeSex4All.com

smoothballs

when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?

smoothballs

at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...

Spudman

dude the exploit gets in every single page, be it static or not. Just removing CT and EPT and putting up statics will not do anything, You need to lock down all permissions so files can not be written to.

__________________
Take it Easy !!!

Spudman

maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.

__________________
Take it Easy !!!

smoothballs

Yeah I did do it that way, not made a page yet so wasnt sure if it would work or not...by the way I did was "export" in comus and copied the links to notepad then put them in ST like you described...I did it how it was described in ST help page!

boneless

bulk import and set processing to none, works wonders.

__________________
icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

boneless

to clean the hack:

originally posted by Gozak aka Spudstr of yellowfiber:

Realisticly the best way to kill this script once you've found it.


BACK UP EVERYTHING YOU HAVE, if your hosts does backups, back it up anyway on your own.
Kill apache. shut it down and don't turn it on.

grep -R eval * > /some/folder/to/store/data/to/reasech

let it run let it finish. make sure that /tmp is locked down and even run linux auditd and set a rule to watch rwxa on /tmp.

after it finsihes dig through the text file and find the php files exploited. once you go through the php file thats a back door put the path in a text file call it "foo"

cat foo | awk '{print "rm -f " $1}' | csh

this will mass delete all the infected files.

re-fun the grep -R eval * script again to a new file. now find the files infected with the <script> i.e the javascript. edit each file by hand or delete your archives and rebuild them with clean templates.

once you clean everything re-run grep again. this time hopefully you wont get any trace of the code.. anywhere.

lastly make sure all ct folders are gone gone gone gone.

turn apache back on.

you can have hosts set auditctl's on index files that get infected, make sure they use the wa flags and not war or warx we don't care if its read or executed we just care if its written to or appended. then watch logs later to see what folder a script is being called from so you can go and identify the exploits. Might be useful for future hacks/exploits that could possibly infect your machine.

lastly. If you really want to be isolated and prevent problems like this in the future do the following.

1. 1 ftp per site
2. run apache in suexec mode
3. run php in suphp
4. stop using 777, if you run in any suexec mode/suphp above you wont need 777 anyway.
5. set audits on your index files
6. noexec on /tmp folder and set audit to watch _everything_ that goes on in there.

I don't care if you host with us or not but you should give the above to your host to help them fix your exploited code or you can do it yourself if you manage the machine yourself.

__________________
icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

smoothballs

its out of my hands..only on a virtual server...removed comus as requested by hosts, its up to them now to do the rest!

smoothballs

aint got clue how to make a page in ST! went with the help files but dont seem its been updated since 2005!

well actually thats a lie...got a page up but no thumbs...so deleted it...sorry I'm hard work when it comes to stuff like this!

Spudman

you can use the template maker/editor in Tools, just select the layout you want and it makes the code for you, simple as pie

__________________
Take it Easy !!!

smoothballs

Yeah did that....just had loads of thumb boxes with the red x in them...dont worry will figure this out!