My favorite exploit is the fake image upload that has a correct image header...

If the image gets stored "as is" the first line of it is <?eval($_REQUEST['someVar']?>

If the host is configured to parse image files (tracking, dynamic images, etc...) anything they pass in to the request gets evaled... so elegant, so simple, so devastating...

Anyone heard from Comus regarding this problem? Is a fix being worked on or should I change scripts?

i think you might need a managed host.

i consider myself at this point the ex tech support of comus. i worked for five years and the last year and the first year i had to cover for tony a lot.

ATM this is where we stand, im not saying comus is the prob but it is most likely the cause of all probs.

Comus license key admin login page file is broken atm, one of the things that happened to my girlfriend wordpress site during the hacks.

tbh with you guys, i myself am ditching comus as my script and am going for an alternative. For now its smart thumbs, and as i got over 100 comus sites i got a long and hard task ahead to switch em all over.

Im really hoping that all is well with tony but since i havent heard or seen him online in the past three weeks makes me wonder what the fuck is going on.

I hope im not getting loaded with 1000s of messages on my icq...

thnx yall,

Ed

Just a conjecture here, but that wont work. I've seen enough stuff attempted on my boxes and its always a hole in the script. remove the scripts and your ok. It's not really an access thing. Changing the locks on your front door is pointless if you leave the windows open.
Duke

I am not sure how can you be so sure that actually comus is the root of your problems? I am using comus too, but with tightened security on the server itself and with my OS security I never get hacked, neither get into troubles with any of my sites.

This time I haven't been affected by this comus hack (which I think is not comus hack, just a malware insertion) and my sites are running smoothly.
The only thing I don't like about comus is that its admin interface loads iframe from their website, so if their website has the malware, then technically every site that runs comus has it too.

To get rid of malwares and to actually avoid getting them, just install normal os, like Linux, or buy Mac.

Oh, and just one remark: before doing anything on your own, have host run clamAV on your box/v. acc. and scan for potential infected files, as well as run the rootkit detection tools. Then it's your turn to make your own box clean and more secure.

Good luck!

Agreed.... it's comus, but even after you kill Comus, you've got to check every site on the server comus was on even if the site is not using Comus... (I've got 14 sites so far that were affected )

Look at your .htaccess and check if it's everything working nicely.

ive had this before!!
Webair reverted my sites abck before the infection and changed all ftp info

Old thread. Yes I was wrong. it's a Comus thumbs hack. No ftp password issue.
I misunderstood it was another iframe injection attack that caused from viruses on local machine. I installed mod_security then it stopped code injection but I thought it fixed by removing viruses on my PC.

Anyway it's completely fixed by removing all backdoor scripts and infected files.
If anyone still faces this froblem, refer this thread.
http://www.gfy.com/showthread.php?t=928915

Yeah, that's fucked. I hate those virus scripts inserted like that.