Comus Thumbs.com down after big hack?

[Spudman]

hey,

Is http://comusthumbs.com/ down for you guys? I can't access it.

[hjnet]

Yes, looks like their Server is down

[fpforum]

Yup, the site is down here in central USA as well!

[Spudman]

Guessing this is the end of comus then. After this last hack i'm never using comus again anyway. I dont think the owner has giving a shit about comus for years now.

[Darkhorse]

Quote:

Originally Posted by Spudman

Guessing this is the end of comus then. After this last hack i'm never using comus again anyway. I dont think the owner has giving a shit about comus for years now.

Have to agree, I used it when it first came out oh so many years ago. Now fuck that shit smart thumbs is way to go....

[Bhunter]

even after deleting CT folder in your root and switichig to ST, the exploit code returns.

I'm done with CT

[hjnet]

Quote:

Originally Posted by Bhunter

even after deleting CT folder in your root and switichig to ST, the exploit code returns.

I'm done with CT

Maybe some script runs on your server that constantly inserts that code. Check your Server for files that have been changed on or around the date when the exploit first appeared

[Bhunter]

yup I'm affraid that's the case. working on it ;)

[Davy]

Weird. I only checked the site of comusthumbs a couple of days ago...

Anybody want to buy two spare comus licenses?

[Bhunter]

yesterday the site was up, but nobody in the forum mentioned about the hack

[Spudman]

Quote:

Originally Posted by Bhunter

even after deleting CT folder in your root and switichig to ST, the exploit code returns.

I'm done with CT

you have to change the permissions of ST after the install, the standard permissions are still vulnerable to the hack. I finally have a safe working version of ST on my server now and a script that will update all my new installs of ST to correct, safe permissions.

I installed ST to replace CT and it was hacked within about 2 mins until i did the above. Its a bitch of a hack

[Bhunter]

did you set it to 755?

[katharos]

the power of hackers ... there is always someone better, and if hackers want to put something down, they will find a way, and looks like its working ...

[HEAT]

Comus users, if you looking to buy ST license for migraton I found a great deal here.
http://www.gfy.com/sell-and-buy-forum/917058-wts-smart-thumbs-licenses.html

[area51 - BANNED FOR LIFE]

oh well, shit hasn't been updated forever, what do you expect to happen

[Davy]

Assuming there is a hack and that it is based on permissions, the comus staff is to blame.
They always advised people to "just chmod the whole comus folder to 777".
That's never a good idea. People should not have followed that advise in the first place.

[HEAT]

Quote:

Originally Posted by Spudman

you have to change the permissions of ST after the install, the standard permissions are still vulnerable to the hack. I finally have a safe working version of ST on my server now and a script that will update all my new installs of ST to correct, safe permissions.

I installed ST to replace CT and it was hacked within about 2 mins until i did the above. Its a bitch of a hack

You need to scan your PC first. the hacker might own your ftp login already.
I'm sure hacker running remote script that stored your login info. so it frequently injects JS/iframs code into your site files.

Clean your PC with anti-spyware then change all server passwords.
after that, remove the code in all files with text editor. Don't open infected webpages with browser until all removal is done.

it did work for me.

[pornguy]

man it sucks to see such a great program go.

[Spudman]

Quote:

Originally Posted by HEAT

You need to scan your PC first. the hacker might own your ftp login already.
I'm sure hacker running remote script that stored your login info. so it frequently injects JS/iframs code into your site files.

Clean your PC with anti-spyware then change all server passwords.
after that, remove the code in all files with text editor. Don't open infected webpages with browser until all removal is done.

it did work for me.

yeah done that, cleaned machine, changed all passwords, removed infected code from all pages but it still managed to spread to clean pages in a couple of minutes. thanks to my host we've got it locked down now and its not spreading.
Now i have to repair the sites and install ST over 40 times to replace CT

[Spudstr]

Quote:

Originally Posted by Spudman

you have to change the permissions of ST after the install, the standard permissions are still vulnerable to the hack. I finally have a safe working version of ST on my server now and a script that will update all my new installs of ST to correct, safe permissions.

I installed ST to replace CT and it was hacked within about 2 mins until i did the above. Its a bitch of a hack

Also need to check for malisious bots/programs running hidden as httpd. Easy to find if you do a ps auxwwwww and see something like [httpd] or related then followed by a blank line under it and some random word like start or log etc.

Also please check your /tmp folder so its set to noexec so pearl scripts cannot be ran out of this location after being uploaded.

I can go on and on but thats the jist of it.

[Lace]

Just checked one of my comus sites and sure enough - i've got the code being injected as well. Boo

[Spudman]

Quote:

Originally Posted by Lace

Just checked one of my comus sites and sure enough - i've got the code being injected as well. Boo

Anyone using Comus needs to get rid of it quickly if they haven't already been infected. Specially as it looks like its now a dead script.

sorry to here you got the hack, good luck getting rid of it.

[brassmonkey]

i said months ago ct was gone

[smoothballs]

grrrr dont even know where to start right now! need to get ST installed but also get all the links to trades,sponsors ect copied and pasted to hard drive! and reading about the exploit returning after a ST install! fuck its gonna be a long weekend for me! as well as for you guys!

[smoothballs]

fuck sake, cant even get pass install.php for smart thumbs here!

[Altheon]

Anyone know how to tighten Comus if we haven't been hacked yet? All I could think to do is change the permissions of the CT folder to 755.

[smoothballs]

Quote:

Originally Posted by Altheon

Anyone know how to tighten Comus if we haven't been hacked yet? All I could think to do is change the permissions of the CT folder to 755.

My hosts require 755 and still didnt stop my sites getting hacked....although I must add my sites seems to try and redirect rather then actual malicious code embedded in my html....

[smoothballs]

finally got thru to ST and having a go with with it to see what does what...kinda similar to comus but different interface....will be a few days till I can get my head round it and be up and running...hopefully!

[boneless]

Quote:

Originally Posted by Bhunter

yesterday the site was up, but nobody in the forum mentioned about the hack

so you failed to read my topic called important info ;)

[boneless]

Quote:

Originally Posted by Spudman

Now i have to repair the sites and install ST over 40 times to replace CT

wanna trade places and do my 100+ :D

[Spudman]

Quote:

Originally Posted by boneless

wanna trade places and do my 100+ :D

I feel your pain bro I really do, give sixzeros a slap if you ever speak to him again ! Thanks for your help through out my conus days dude, you were a star! Good luck with the sites

[Bhunter]

Quote:

Originally Posted by boneless

so you failed to read my topic called important info ;)

... hmmm. now i remember there was such thread but i must have in hurry overlook it's content

[beta-tester]

too bad for comus... It was pretty good script.

I guess I'll have to make a switch over st too...

[HEAT]

Check your tmpl files in ct/templates directory. those are infected as well and also there are more .tmpl and .php(no Zend) files in some other dirs.
Just delete unnecessary files under the ct directory.(backups, welcome.html, example.html, old data, etc.)

But again, YOU MUST SCAN YOUR PC in advance of code removal.
The hacker has your ftp password. so he will inject the code again automatically. Moreover this hacker(his remote software) will scan other directories in /home. then it will attack other php sites too. My other TGPX and TEVS sites on the same box also got hit.
Once the hacker has your ftp login, changing file/dir permission won't be a solution.

I had found these malwares in my pc.
Exploit,PDF.JS-Gen
Trojan.Script.7685
These came from the injected code.

Remove them and reboot. Scan again with another antispyware, reboot, then change server passwords.
Now edit all infected files. Use server-side text editor or file manager.
If there is a blank line under the <body> tag. Scroll to right and you will find the hidden code.
DON'T load infected or suspicious php/html files with browser. Your PC will get malwares again and it will sniff new password when you using ftp.
So it's the most important that your pc is not infected by malwares during code removal.

Good luck.

[smoothballs]

Spudman....see you are from the UK too send me a PM see if we can help each other out

[czarina]

can't get it here

[Spudman]

Quote:

Originally Posted by smoothballs

Spudman....see you are from the UK too send me a PM see if we can help each other out

Yes dude, I'll hit you up in the morning

[crockett]

I wonder why the owner stopped giving a shit? It seemed like he bought out epower trader but shortly after that stopping doing much.

Did he have health problems or something or just give up?

[Vendzilla]

I remember Tony having health problems and it when down hill from there, havn't heard from him in a long time

[qxm]

Quote:

Originally Posted by Vendzilla

I remember Tony having health problems and it when down hill from there, havn't heard from him in a long time

yeap I remember seeing u there.... Comus was a great tool while it lasted.... luckily I moved away from TGPs a while back.... glad I did it too!

[V_RocKs]

I uninstalled it long ago when it kept getting hacked.

[willwank]

I sale 100 licenses of glorious script APTGP3

[crockett]

Quote:

Originally Posted by Vendzilla

I remember Tony having health problems and it when down hill from there, havn't heard from him in a long time

Yea that's what I was thinking. I wonder if he's ok or if it's because of the health problems. He used to always be pretty active with his scripts. He didn't seem like one that would just disappear.

[stoner529]

this is my first time having to do this. i only have one site though. trying just to get that to work right. at least i have a dedicated managed server so they can take care of that crap for me. i have no clue about it. i think my site is okay though, but not to sure.

[MoreMagic]

http://comusthumbs.com/ is online again.

[smoothballs]

Quote:

Originally Posted by MoreMagic

http://comusthumbs.com/ is online again.

yeah but all the links at top of the page for support forum ect isnt there ...

[Davy]

Quote:

Originally Posted by HEAT

Check your tmpl files in ct/templates directory. those are infected as well and also there are more .tmpl and .php(no Zend) files in some other dirs.
Just delete unnecessary files under the ct directory.(backups, welcome.html, example.html, old data, etc.)

Good advice. Just go ahead and randomly delete files. That will stuff the security hole, for sure!

[SuzzyQ]

Besides Spybot S&D what is another good spyware removal progy?

[smoothballs]

jeez...this is gonna take forever! I'm tempted to just have static pages up...

[escorpio]

Quote:

Originally Posted by smoothballs

jeez...this is gonna take forever! I'm tempted to just have static pages up...

I've been thinking the same thing.