GoFuckYourself.com - Adult Webmaster Forum - View Single Post

sixzeros · 06-10-2005, 03:37 AM

Just took a look at Comus for you.

It looks like someone has stolen your FTP account and has placed their own code on the system, and have removed comus.

They've renamed the main cx.php to ctx.php and they are using zend encoded PHP scripts, so it is hard to see exactly what they have dumped on there, but we know at least it is a simple script of less than 1000 bytes long.

It would appear that they have also dumped a trojan on the machine, because they appear to be able to change files that neither comus nor your FTP account would naturally have the ability/permissions to change.

One way someone can test if they might be infected is to check the file size of /ct/cx.php if it less than 10k then you have a very suspect situation.

I suggest you move everything to a new server, and be very selective about what PHP files you copy over, best bet is to reinstall comus and your trade scripts clean, and then import the data and templates only.

I thought I posted earlier but it didnt seem to take, I suggested using commview, its a packet sniffer that lets you see what headers are being generated, so you can see exactly what is happening in your browser.. You would have been able to see that clicks were bouncing from index page -> cx.php -> ctx.php -> ATX .. and by comparing the path to a non-hacked site you'd see the different path and the culprit files. ctx.php should not be there.

I've never actually seen anyone do this before, its a first, but now that it has happened, I'll make something in Comus that will run an auto integrity check of the main files, it should make it impossible for anyone to do this again.

I feel for ya bro, F@$@#$'n hackers suck

-----------------
sixzeros - Comus Thumbs Author

06-10-2005, 03:37 AM
sixzeros Registered User Join Date: Aug 2002 Location: Las Vegas Posts: 53	Just took a look at Comus for you. It looks like someone has stolen your FTP account and has placed their own code on the system, and have removed comus. They've renamed the main cx.php to ctx.php and they are using zend encoded PHP scripts, so it is hard to see exactly what they have dumped on there, but we know at least it is a simple script of less than 1000 bytes long. It would appear that they have also dumped a trojan on the machine, because they appear to be able to change files that neither comus nor your FTP account would naturally have the ability/permissions to change. One way someone can test if they might be infected is to check the file size of /ct/cx.php if it less than 10k then you have a very suspect situation. I suggest you move everything to a new server, and be very selective about what PHP files you copy over, best bet is to reinstall comus and your trade scripts clean, and then import the data and templates only. I thought I posted earlier but it didnt seem to take, I suggested using commview, its a packet sniffer that lets you see what headers are being generated, so you can see exactly what is happening in your browser.. You would have been able to see that clicks were bouncing from index page -> cx.php -> ctx.php -> ATX .. and by comparing the path to a non-hacked site you'd see the different path and the culprit files. ctx.php should not be there. I've never actually seen anyone do this before, its a first, but now that it has happened, I'll make something in Comus that will run an auto integrity check of the main files, it should make it impossible for anyone to do this again. I feel for ya bro, F@$@#$'n hackers suck ----------------- sixzeros - Comus Thumbs Author Last edited by sixzeros; 06-10-2005 at 03:38 AM..