Comus Thumbs.com down after big hack?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • HEAT
    Confirmed User
    • Sep 2003
    • 2255

    #51
    I think there are many varietal ones of this.
    Are you getting the code back even if CT is removed completely??
    254-282-542

    Comment

    • Spudman
      Confirmed User
      • Aug 2002
      • 3198

      #52
      Originally posted by HEAT
      I think there are many varietal ones of this.
      Are you getting the code back even if CT is removed completely??
      you will, i think it just uses CT to get onto your server, once its there you're fucked

      I'm just about getting sorted but still have over 40 sites down.

      Think this hack has taken about 10 years off my life i'm so stressed
      Take it Easy !!!

      Comment

      • boneless
        Confirmed User
        • Dec 2002
        • 3625

        #53
        down again, its been up and down pretty much all day
        icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

        Comment

        • beta-tester
          Rock 'n Roll Baby!
          • Sep 2004
          • 22562

          #54
          maybe it's getting (D)DOSed? Because the host doesn't respond at all, which suggests a (d)dos attack...

          Sig for sale. Affordable prices. Contact me and get a great deal ;)

          My contact:
          ICQ: 944-320-46
          e-mail: manca {AT} HotFreeSex4All.com

          Comment

          • smoothballs
            Confirmed User
            • Aug 2004
            • 151

            #55
            when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?
            Last edited by smoothballs; 09-20-2009, 01:35 AM.

            Comment

            • smoothballs
              Confirmed User
              • Aug 2004
              • 151

              #56
              at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...

              Comment

              • Spudman
                Confirmed User
                • Aug 2002
                • 3198

                #57
                Originally posted by smoothballs
                at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...
                dude the exploit gets in every single page, be it static or not. Just removing CT and EPT and putting up statics will not do anything, You need to lock down all permissions so files can not be written to.
                Take it Easy !!!

                Comment

                • Spudman
                  Confirmed User
                  • Aug 2002
                  • 3198

                  #58
                  Originally posted by smoothballs
                  when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?
                  maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
                  Take it Easy !!!

                  Comment

                  • smoothballs
                    Confirmed User
                    • Aug 2004
                    • 151

                    #59
                    Originally posted by Spudman
                    maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
                    Yeah I did do it that way, not made a page yet so wasnt sure if it would work or not...by the way I did was "export" in comus and copied the links to notepad then put them in ST like you described...I did it how it was described in ST help page!
                    Last edited by smoothballs; 09-20-2009, 03:04 AM. Reason: information

                    Comment

                    • boneless
                      Confirmed User
                      • Dec 2002
                      • 3625

                      #60
                      Originally posted by Spudman
                      maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.
                      bulk import and set processing to none, works wonders.
                      icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

                      Comment

                      • boneless
                        Confirmed User
                        • Dec 2002
                        • 3625

                        #61
                        to clean the hack:

                        originally posted by Gozak aka Spudstr of yellowfiber:

                        Realisticly the best way to kill this script once you've found it.


                        BACK UP EVERYTHING YOU HAVE, if your hosts does backups, back it up anyway on your own.
                        Kill apache. shut it down and don't turn it on.

                        grep -R eval * > /some/folder/to/store/data/to/reasech

                        let it run let it finish. make sure that /tmp is locked down and even run linux auditd and set a rule to watch rwxa on /tmp.

                        after it finsihes dig through the text file and find the php files exploited. once you go through the php file thats a back door put the path in a text file call it "foo"

                        cat foo | awk '{print "rm -f " $1}' | csh

                        this will mass delete all the infected files.

                        re-fun the grep -R eval * script again to a new file. now find the files infected with the <script> i.e the javascript. edit each file by hand or delete your archives and rebuild them with clean templates.

                        once you clean everything re-run grep again. this time hopefully you wont get any trace of the code.. anywhere.

                        lastly make sure all ct folders are gone gone gone gone.

                        turn apache back on.

                        you can have hosts set auditctl's on index files that get infected, make sure they use the wa flags and not war or warx we don't care if its read or executed we just care if its written to or appended. then watch logs later to see what folder a script is being called from so you can go and identify the exploits. Might be useful for future hacks/exploits that could possibly infect your machine.

                        lastly. If you really want to be isolated and prevent problems like this in the future do the following.

                        1. 1 ftp per site
                        2. run apache in suexec mode
                        3. run php in suphp
                        4. stop using 777, if you run in any suexec mode/suphp above you wont need 777 anyway.
                        5. set audits on your index files
                        6. noexec on /tmp folder and set audit to watch _everything_ that goes on in there.

                        I don't care if you host with us or not but you should give the above to your host to help them fix your exploited code or you can do it yourself if you manage the machine yourself.
                        icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

                        Comment

                        • smoothballs
                          Confirmed User
                          • Aug 2004
                          • 151

                          #62
                          its out of my hands..only on a virtual server...removed comus as requested by hosts, its up to them now to do the rest!

                          Comment

                          • smoothballs
                            Confirmed User
                            • Aug 2004
                            • 151

                            #63
                            aint got clue how to make a page in ST! went with the help files but dont seem its been updated since 2005!

                            well actually thats a lie...got a page up but no thumbs...so deleted it...sorry I'm hard work when it comes to stuff like this!
                            Last edited by smoothballs; 09-20-2009, 07:37 AM.

                            Comment

                            • Spudman
                              Confirmed User
                              • Aug 2002
                              • 3198

                              #64
                              Originally posted by smoothballs
                              aint got clue how to make a page in ST! went with the help files but dont seem its been updated since 2005!
                              you can use the template maker/editor in Tools, just select the layout you want and it makes the code for you, simple as pie
                              Take it Easy !!!

                              Comment

                              • smoothballs
                                Confirmed User
                                • Aug 2004
                                • 151

                                #65
                                Originally posted by Spudman
                                you can use the template maker/editor in Tools, just select the layout you want and it makes the code for you, simple as pie
                                Yeah did that....just had loads of thumb boxes with the red x in them...dont worry will figure this out!

                                Comment

                                Working...