Quote:
Originally Posted by beta-tester
Hmm.. do you have mod_security installed on your apache? Also, do you know which comus files are directly hit with this infection? Meaning, which files you first noticed that had malicious code in?
I am not playing with this, but i want to make sure comus is really vulnerable.
|
mod_security is set by default on all of our servers..
And as far as which file was hit first, i cannot tell you.. I was traveling out of state the week that it happened and my time online was limited.. Because of my limited time, to begin with I was frantically removing everything I could (which they just came back).
Had I not been traveling I would have taken the time to notice time stamps, etc (although those can also be faked).
I did not narrow it down to Comus until a few days ago when I was searching for a solution and noticed a common issue that others using Comus were having the same exact issue and that most of the backdoors were in Comus (although they had spread to dozens of other sites, those other sites only had about 1-3 backdoor files).
And the deciding factor (aside from what everyone else is saying) was that I was not able to begin to remove the backdoors and trojans permanently until i deleted Comus.
You can take boneless/Ed's advice to try to secure it if you want, I just know that the risks for me far outweigh the benefits.. Maybe I would feel differently if I had 100 sites running Comus and had to worry about the labor involved to convert them over to some other script.. but I only had one Comus script that I had just setup like 3 months ago.. so it is far easier for me to just ditch it.
If this isn't all you do, you might not be as scared as I am.. I've been doing this since the late 90's and full time as my sole source of income since 2002, so I simply cannot gamble with things like this.. Just don't need the risk...