when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?
at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...
at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...
dude the exploit gets in every single page, be it static or not. Just removing CT and EPT and putting up statics will not do anything, You need to lock down all permissions so files can not be written to.
when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?
maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
Yeah I did do it that way, not made a page yet so wasnt sure if it would work or not...by the way I did was "export" in comus and copied the links to notepad then put them in ST like you described...I did it how it was described in ST help page!
Last edited by smoothballs; 09-20-2009, 03:04 AM.
Reason: information
maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
bulk import and set processing to none, works wonders.
let it run let it finish. make sure that /tmp is locked down and even run linux auditd and set a rule to watch rwxa on /tmp.
after it finsihes dig through the text file and find the php files exploited. once you go through the php file thats a back door put the path in a text file call it "foo"
cat foo | awk '{print "rm -f " $1}' | csh
this will mass delete all the infected files.
re-fun the grep -R eval * script again to a new file. now find the files infected with the <script> i.e the javascript. edit each file by hand or delete your archives and rebuild them with clean templates.
once you clean everything re-run grep again. this time hopefully you wont get any trace of the code.. anywhere.
lastly make sure all ct folders are gone gone gone gone.
turn apache back on.
you can have hosts set auditctl's on index files that get infected, make sure they use the wa flags and not war or warx we don't care if its read or executed we just care if its written to or appended. then watch logs later to see what folder a script is being called from so you can go and identify the exploits. Might be useful for future hacks/exploits that could possibly infect your machine.
lastly. If you really want to be isolated and prevent problems like this in the future do the following.
1. 1 ftp per site
2. run apache in suexec mode
3. run php in suphp
4. stop using 777, if you run in any suexec mode/suphp above you wont need 777 anyway.
5. set audits on your index files
6. noexec on /tmp folder and set audit to watch _everything_ that goes on in there.
I don't care if you host with us or not but you should give the above to your host to help them fix your exploited code or you can do it yourself if you manage the machine yourself.
Comment