|
Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected
Just as a warning for everyone, I had two old copies of comus on a Server with ~20 other Domains. Looks like some hacker managed to break in through comus to load up a script that simply added some malicious Java Script code to EVERY HTML and PHP file on my Server that have been set to 777 file permissions. So some of my Smart Thumbs copies have been affected, and even some of my old static HTML galleries.
As far as I know there isn't an security update from Comus available by now, so I simply had to delete my two old copies from the Server as it was too risky to keep them there. So if you have Comus on your Box watch it very closely or get rid of the installations. |
How come that I didn't get any of this shit? Maybe my server security is too good?
|
Quote:
|
sometimes its always on the server side securities if you get hacked!!!
|
Run a virus scan. Usually this stuff isn't caused by someone hacking your server or exploiting your script, but rather by a virus on your computer that logs in and puts this shit in.
|
Just checked one of my old tgps (the only one that still had comus installed)......... yeap.... had to put a 302 htaccess redirect to one of my other sites... every thumb redirect was causing my antivirus to go on full alert...
|
There's been a few people hit wit this in the past few days :(
|
Quote:
|
Quote:
i.e. grep -R "function Sym1" * > list_of_infected_files Oh, and at first you might wanna try blocking the IP that calls for the script that put's that malicious Java Script code into your files iptables -A INPUT -s 122.70.145.151 -j DROP |
Quote:
|
Fuccckkkkkkkkk this hack got me too. I am deleting my old Comus install now but from what I understand even after you have deleted Comus there are a bunch more backdoors that have likely been installed on the server and have to be rooted out. :(
|
guess that is the final nail in the coffin for comus.
wish the best. hacks suck. |
I am wondering if I delete all the comus installs, have my host load an old backup in and set the files to read only files, will that take care of things?
Anybody? |
How to fix Comus hack.
1. Install mod_security. (will stop code injection and defend from web attack.)
2. Migrate Comus Thumbs to Smart Thumbs - export and import gals, set cron/templates/trades/secure.php/etc.. 3. Remove CT completely. 4. Find bad phpshell scripts(backdoor) that hacker installed into your server and remove them. Quote:
5. Find infected website files and edit/delete. Quote:
6. Repeat #4~#5. 7. Setup better security. change all server passwords(linux users/mysql users/web logins). install Rootkit Hunter. update APPs via yum(centOS). apache in suexec mode, use suphp, no 777 permission. use SFTP. update mod_security rules. install reliable anti-spyware to your local machine. |
Quote:
Quote:
P.S. I'd REALLY like to break some kneecaps today :mad: |
Bump Bump
|
Quote:
Here is the full php code: Quote:
Quote:
Quote:
or if you had installed mod_security, look into /var/log/httpd/modsec_debug.log. whatever code they have on file, mod_security blocks system calls via web. you will find a bunch of these logs : Quote:
And for infected web files, yes looks like the backdoors didn't inject the same js code. each code has different encrypted malware url. So classify all html/php files that have 777 permision then abstract those different codes and make your own grep strings for full search. Luckly, I had only one common string. |
Quote:
So people search your servers: grep -R "6966202873" * > list_of_backdoor_files :thumbsup Oh, and the backdoor files are called "sync.php, thumbs.php and backup.php" in my case, user:group -> nobody:nobody |
Anyone hear from Sixzeros or CT on what's up??
|
how do i prevent this? ive got ct on a test site so it doesnt matter how, its not yet hacked. What files do i have to change from 777 to something else when i want to prevent it?
|
Quote:
So if you REALLY intend to keep your copy of CT you should at least ensure that NO files on your server are writable by the user "nobody", and maybe block the IP I've mentioned earlier in this thread from accessing your Server. Oh, and search for the strings given in this thread with grep, maybe you're already infected and just didn't recognize it by now.... |
Just as a short summary how I got rid of this infection sofar
-At first block 122.70.145.151 from accessing your Server, it's an IP in China that triggers the backdoor files on YOUR Server every ~ 10 Minutes to infect writable files iptables -A INPUT -s 122.70.145.151 -j DROP And Spudstr from YellowFiber also suggestes to block 122.64.0.0/11 iptables -A INPUT -s 122.64.0.0/11 -j DROP - Then get rid of your Comus installations, I've simply deleted the entire /ct/ folder as I didn't use my installations anyway. That was the only solution for me as long as there's no security patch available - Next I've scanned my Server for for any INFECTED Files grep -R "function Sym1" * > list_of_infected_files grep -R "function STy6" * > another_list_of_infected_files These are the only two different types of insertions I've found sofar on my Server, might be possibble that there are more out there, please let us know if you come across new ones so everybody could search their Server for the matching string snippets. - And finally get rid of the backdoor files: grep -R "6966202873" * > list_of_backdoor_files The backdoor files on my Server where called something like backup.php, sync.php, thumbs.php I hope that's it sofar, now it's time to tighten Server Security a bit more :thumbsup |
Quote:
|
im no server expert so i just deleted it all.
|
Bump Bump
|
add me to the list ...
fuck.. had noticed a few sites of mine with trojans on it a little over a week ago but was on the road and couldn't do much about it.. (the list is now up to 14 sites that have had code added to them).. narrowed it down to assuming it was the one site that i use Comus on as being the soruce of the problems and then searched GFY for Comus to confirm others were having an issue... and here we are... looks like i'll be killing it as Comus has no update, and going to their site to redownload a frsh copy to make sure i had the latest version just gives an error... on this one server i probably have 200-300 sites.. i'm sure that there's more than 14 infected.. looks like i am going to have dun today.. |
good info thatnks
|
Quote:
|
Quote:
lol |
Quote:
Looking through your post history, it's apparent you are a troll.. and your posts have nothing of value whatsoever.. Looking through the past couple weeks of your posts I can only assume you are not even a webmaster.. just really dumb shit.. more info is here: http://www.gofuckyourself.com/showthread.php?t=931492 please ignore the troll with the avatar of his boyfriend.. |
I had the same issue... and got about 20 or 30 sites hacked because of CT... I have removed all CT's I had... and redirected those domains to some CAM sites...
|
Quote:
We interrupt this thread for a public GFY announcement: Carmine Raguso is the OFFICIAL WINNER of the GFY Troll of the Week award!!! yup.. he won.. |
Quote:
Is this all done through SSH? |
| All times are GMT -7. The time now is 07:33 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc