View Single Post
Old 10-04-2009, 09:45 AM  
Naughty-Pages
Confirmed User
 
Naughty-Pages's Avatar
 
Industry Role:
Join Date: Oct 2006
Location: SWFL
Posts: 4,533
:stop Comus Thumbs Backdoor/Trojan: Don't be reading this now, then post next week crying.

Just imagine losing ALL Google SE Traffic and ALL Firefox Surfer traffic on ALL of your sites OVERNIGHT!! potentially for days, weeks even months.. (it could happen to you).

There are a few threads circulating around about Comus Thumbs being vulnerable (again) to a backdoor/trojan issue:

I got hit... (FYI.. I have multiple servers, but out of the 250+ sites on the server i had my only copy of Comus on, only about 35-40 or so other sites got infected before I was able to catch it... )

BUT it jumped to over 18 different master accounts on that server.. because of that, it made it extremely frustrating and time consuming to remove...

Anywhoo..
This thread has some info on how to remove the backdoors/trojans:
Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected (credit to hjnet)

My approach was slightly different, I used these two commands to search:
a) grep -R "6966202873" * > list_of_backdoor_files
b) grep -R "59} else if" * > list_of_infected_files

my second scan for infected files (b) is different than what was in the thread I mentioned because with the help of my host we found that the code mutated spontaneously and the code you were using did not always catch them...

I think that because many of my toplists that were infected were set to re-rank every 10 minutes so the mutation was more noticeable.

This is not just about the hassle of finding/ removing the backdorrs/trojans and losing traffic until you figure it out... The sucky part about all of this is Google (safebrowsing.clients.google.com) flagged a bunch of my sites before I could remove the trojans, thereby killing the traffic on at least 8-10 or so of them. (not only killed SE traffic by saying my site will harm your computer in the search engine results pages, but also Firefox users get a big red warning screen, so the toplists are pretty much dead as far as surfers using firefox, except for IE surfer traffic).

Now I have to go request that the flagging be removed.. I wonder how long that will friggin take??????????? (This is where my first line comes in about losing that traffic for days/weeks/months).

Never going back to Comus... that was not a fun ordeal.. took several days to narrow it down and then 2 days to remove (1 of which was figuring it out)... between the lost work time and lost traffic this was kind of expensive.

Anyone who has Comus thumbs really should not gamble with keeping the script with the "Wait and See" attitude.. (especially if you have your own servers with multiple sites on them)...

This could potentially put some people completely out of business..

Even though it hurt me, I got lucky... I only had one copy of Comus on one server, but if i would have had it on all of my servers, and had been on vacation giving it time to spread to all of my sites (nearly 1000 sites) that would have killed me.

Don't be reading this today and then posting here next week crying...

Last edited by Naughty-Pages; 10-04-2009 at 09:49 AM..
Naughty-Pages is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote