I think there are many varietal ones of this. :(
Are you getting the code back even if CT is removed completely??

you will, i think it just uses CT to get onto your server, once its there you're fucked :Oh crap

I'm just about getting sorted but still have over 40 sites down.

Think this hack has taken about 10 years off my life i'm so stressed :1orglaugh

down again, its been up and down pretty much all day

maybe it's getting (D)DOSed? Because the host doesn't respond at all, which suggests a (d)dos attack...

when importing comus galleries into smart thumbs, I can see the thumb pic thinking great I dont have to thumb the galleries all over again,however when i put them in queued galleries it seems i have scan them all over again? or am I missing something here?

at the moment have totally removed comus and ept ffrom all my sites...put a simple static temporary index page with text links up and yep the exploit is still there...replied to host about it guess its down to them now to get it off the server...

dude the exploit gets in every single page, be it static or not. Just removing CT and EPT and putting up statics will not do anything, You need to lock down all permissions so files can not be written to.

maybe you are using the incorrect import in ST. Go to "tools" then "import" then copy over the import file/code from comus, this should put the galleries straight into the system without need to scan. You need to make sure that the site you import from has this folder readable: domain/ct/thumbs so that ST can import the thumbs.

Yeah I did do it that way, not made a page yet so wasnt sure if it would work or not...by the way I did was "export" in comus and copied the links to notepad then put them in ST like you described...I did it how it was described in ST help page! :)

bulk import and set processing to none, works wonders.

to clean the hack:

originally posted by Gozak aka Spudstr of yellowfiber:

Realisticly the best way to kill this script once you've found it.


BACK UP EVERYTHING YOU HAVE, if your hosts does backups, back it up anyway on your own.
Kill apache. shut it down and don't turn it on.

grep -R eval * > /some/folder/to/store/data/to/reasech

let it run let it finish. make sure that /tmp is locked down and even run linux auditd and set a rule to watch rwxa on /tmp.

after it finsihes dig through the text file and find the php files exploited. once you go through the php file thats a back door put the path in a text file call it "foo"

cat foo | awk '{print "rm -f " $1}' | csh

this will mass delete all the infected files.

re-fun the grep -R eval * script again to a new file. now find the files infected with the <script> i.e the javascript. edit each file by hand or delete your archives and rebuild them with clean templates.

once you clean everything re-run grep again. this time hopefully you wont get any trace of the code.. anywhere.

lastly make sure all ct folders are gone gone gone gone.

turn apache back on.

you can have hosts set auditctl's on index files that get infected, make sure they use the wa flags and not war or warx we don't care if its read or executed we just care if its written to or appended. then watch logs later to see what folder a script is being called from so you can go and identify the exploits. Might be useful for future hacks/exploits that could possibly infect your machine.

lastly. If you really want to be isolated and prevent problems like this in the future do the following.

1. 1 ftp per site
2. run apache in suexec mode
3. run php in suphp
4. stop using 777, if you run in any suexec mode/suphp above you wont need 777 anyway.
5. set audits on your index files
6. noexec on /tmp folder and set audit to watch _everything_ that goes on in there.

I don't care if you host with us or not but you should give the above to your host to help them fix your exploited code or you can do it yourself if you manage the machine yourself.

its out of my hands..only on a virtual server...removed comus as requested by hosts, its up to them now to do the rest!

aint got clue how to make a page in ST! went with the help files but dont seem its been updated since 2005!

well actually thats a lie...got a page up but no thumbs...so deleted it...sorry I'm hard work when it comes to stuff like this! :)

you can use the template maker/editor in Tools, just select the layout you want and it makes the code for you, simple as pie :thumbsup

Yeah did that....just had loads of thumb boxes with the red x in them...dont worry will figure this out! :)