Comus Thumbs Backdoor/Trojan: Don't be reading this now, then post next week crying.
 

Just imagine losing ALL Google SE Traffic and ALL Firefox Surfer traffic on ALL of your sites OVERNIGHT!! potentially for days, weeks even months.. (it could happen to you).

There are a few threads circulating around about Comus Thumbs being vulnerable (again) to a backdoor/trojan issue:

I got hit... (FYI.. I have multiple servers, but out of the 250+ sites on the server i had my only copy of Comus on, only about 35-40 or so other sites got infected before I was able to catch it... )

BUT it jumped to over 18 different master accounts on that server.. because of that, it made it extremely frustrating and time consuming to remove...

Anywhoo..
This thread has some info on how to remove the backdoors/trojans:
Secure/Delete your Comus Installation, ALL HTML/PHP Files on Server infected (credit to hjnet)

My approach was slightly different, I used these two commands to search:
a) grep -R "6966202873" * > list_of_backdoor_files
b) grep -R "59} else if" * > list_of_infected_files

my second scan for infected files (b) is different than what was in the thread I mentioned because with the help of my host we found that the code mutated spontaneously and the code you were using did not always catch them...

I think that because many of my toplists that were infected were set to re-rank every 10 minutes so the mutation was more noticeable.

This is not just about the hassle of finding/ removing the backdorrs/trojans and losing traffic until you figure it out... The sucky part about all of this is Google (safebrowsing.clients.google.com) flagged a bunch of my sites before I could remove the trojans, thereby killing the traffic on at least 8-10 or so of them. (not only killed SE traffic by saying my site will harm your computer in the search engine results pages, but also Firefox users get a big red warning screen, so the toplists are pretty much dead as far as surfers using firefox, except for IE surfer traffic).

Now I have to go request that the flagging be removed.. I wonder how long that will friggin take??????????? (This is where my first line comes in about losing that traffic for days/weeks/months).

Never going back to Comus... that was not a fun ordeal.. took several days to narrow it down and then 2 days to remove (1 of which was figuring it out)... between the lost work time and lost traffic this was kind of expensive.

Anyone who has Comus thumbs really should not gamble with keeping the script with the "Wait and See" attitude.. (especially if you have your own servers with multiple sites on them)...

This could potentially put some people completely out of business.. :(

Even though it hurt me, I got lucky... I only had one copy of Comus on one server, but if i would have had it on all of my servers, and had been on vacation giving it time to spread to all of my sites (nearly 1000 sites) that would have killed me.

Don't be reading this today and then posting here next week crying...
:Oh crap

fuck your avatar is sexy

Good to mention this again, the Google Warning gets removed rather quickly, took ~24h for MOST of my sites, unfortunately for one of my sites it took almost 2 weeks.....

~24h? that's not too bad.. I've got quite a few blocked, I hope I don't get any of those with a 2 week block...

Thanks man.. I can shoot some content of her if ya need some ;) (problem is lately her availability has been kinda sucky).. :(

comus already lost a great deal of webmasters.

from what i know, tony is working on it, he found where they possibly came in and is removing the files/dependencies.

forum is currently offline as they hit that one as well.

Im trying to get him to work as fast as possible on it, but it a hell of a job. also involves thinning comus out to the pure basics of the script namely a thumb rotator, nothing more and nothing less.

He also had to move the license admin cause of the hacks, and that is one hell of a beast to move around.

google is fast in removing the sites from blocked to unblocked, takes less then 12 hours if done properly.

Bump for the cause. good luck to all affected webmasters.

Delete your Comus installs right away or you will be totally fucked. I caught them a few hours after they hit me and was able to straighten it out pretty quickly but it can really fuck your shit up bad.

Final count on what was blocked was only 13 sites out of the batch of infected sites. Just finished submitting the requests.. 12 hours (or even the 24 mentioned before) would be sweet.

even if it is 12 to 24 hours, I'm sure if any webmasters who have toplist accounts visit the toplists, they'll probably pull their links, even though the infections were removed, due to the warning in firefox.. :(

I guess I can't complain too much, it could have been far worse had I not caught it when I did, or if I had Comus on all of my servers.

I don't know how you people got infected? Was it your computer and then when accessing the server via FTP it spread there too? I myself, never had problems with comus thumbs and I believe that's because I keep my server very clean and maintained properly. Among all the security mechanisms I've implemented there I have mod_security on apache, and few password protected directories where comus resides.

I also have clamAV for scanning and removing infected files. So far, only one account on the server got infected, and that's my friend's account who had his computer infected. But all my sites are totally ok.

That's why I am wondering how the hell did you get hit by this shit? What security hole is exploited on comus, from where?

It is not an infected PC issue (scanned all my systems twice with 2 different AV scanners and also spybot.. I'm not a noob, owned a computer shop for 7 years, sold it and then did computer networking and security for multiple government offices before switching to doing adult shit full time).

It is not an FTP issue (checked all FTP logs, nothing other than my IP and everything was exactly what I had uploaded/downloaded).

I ran ClamAV when I first noticed the problem, it picked up shit.. it found nothing even though the server was infected.

"Somewhere" in Comus is a vulnerability which allows backdoor files to be created, then those backdoors create the trojans across the server.

If you have not been hit, it is simply because your script has not yet been targetted. It could be an hour from now, a week from now, a year from now, or never. Just because it is vulnerable, does not mean you WILL get infected.. it just means it's possible.. but if I were a betting man, I would say it will probably happen sooner or later to you.

Comus thumbs site has been messed up for some time, and then this issue occured.. with no mention from them about what's up, with the exception of boneless commenting in a few threads that they are trying to deal with it.

Fucking peice of shit Comus... I got hit as well... thousands of galleries etc! Fuck the free/skim traffic traders for this guy! Pisses me is I use love Epower.. bought it years ago but guess who bought that from Epower... anything that has to do with Comus creators is coming off my servers!!!!

so whats the issue then with epower? maybe think before ya post mate... epowerstill works like it allways has...

Epower was awesome but when Comus bought it they changed some stuff around... and right now anything that Comus touches I don't trust! I've got nothing against the ORIGINAL Epower script :thumbsup

so what changed? the fact that epower now runs from an ept dir? has an auto upgrade function? easier licensing system? or something else i missed as being the tech support for epower?

Cool... wish I would of found you after Comus bought the script and I did there upgrade and I never did it to work right for me anymore!

I'm just glad I heeded the warnings about Comus a few weeks ago and got rid of it.

I really don't see why tony is bothering to work on comus, its name has been dragged through the mud so badly now no one is going to be stupid enough to touch it again. :2 cents:

Hmm.. do you have mod_security installed on your apache? Also, do you know which comus files are directly hit with this infection? Meaning, which files you first noticed that had malicious code in?

I am not playing with this, but i want to make sure comus is really vulnerable.

from what i gathered, menu.php in the admin dir gets attacked. Since i run 100s of installations it would be mad work to get them all switched in a short time span, so i worked around it:

- Delete menu.php from the admin dir
- htpasswd protected the admin dir

i noticed lots of peeps not affected they all had their admin dir htpasswd protected.

regards,

Ed

perhaps you made a mistake when you upgraded, can happen to anyone, but saying you need to ditch epower cause comus ahs a problem right now is just plain stupid.

I've had my admin dir protected for 2 years now. I realized from looking at audit logs (mod_security) that a lot of admin files get hit by bots, trying to execute sql injection. Then I protected it with htaccess, and those problems gone. Menu.php might be on the hit because it contains iframe of comus' website, and attacker can, by exploiting something on comus' site, affect the comus installation.

mod_security is set by default on all of our servers..

And as far as which file was hit first, i cannot tell you.. I was traveling out of state the week that it happened and my time online was limited.. Because of my limited time, to begin with I was frantically removing everything I could (which they just came back).

Had I not been traveling I would have taken the time to notice time stamps, etc (although those can also be faked).

I did not narrow it down to Comus until a few days ago when I was searching for a solution and noticed a common issue that others using Comus were having the same exact issue and that most of the backdoors were in Comus (although they had spread to dozens of other sites, those other sites only had about 1-3 backdoor files).

And the deciding factor (aside from what everyone else is saying) was that I was not able to begin to remove the backdoors and trojans permanently until i deleted Comus.

You can take boneless/Ed's advice to try to secure it if you want, I just know that the risks for me far outweigh the benefits.. Maybe I would feel differently if I had 100 sites running Comus and had to worry about the labor involved to convert them over to some other script.. but I only had one Comus script that I had just setup like 3 months ago.. so it is far easier for me to just ditch it.

If this isn't all you do, you might not be as scared as I am.. I've been doing this since the late 90's and full time as my sole source of income since 2002, so I simply cannot gamble with things like this.. Just don't need the risk...

well.. i dunno.. but i do know that this time comus's site had issues right before all of this went down..

Ed, not being an ass, but why is he not informing people or posting something on his website.. If he wanted to protect his rep, some personal damage control would be helpful... as well as making public on his site some measures people can take to remove infections and/or prevent them until he can fix shit.

I just hope they can solve this issue as fast as possible because they will get ruined if they don't...

they probably already are ruined.. mainly because they have not focused on any PR issues.. and when i say PR, i am not talking about google page rank but instead public relatons...

no public notifications to help people solve the problem, nor no warnings on their site or elsewhere....

makes them seem not too focused on customer service, so in the end their lack of response could be a death sentence..

all firefox surfer traffic ... then i am done reading ...

Tony is atm working on it and prolly tonight an interim fix will be presented, problem we are facing is that the attack was also aimed at the comus box, and specificly the license admin, ftp server, sendmail and a few other thingys.

Tony is working around the clock on it, he just doesnt like to get mixed in all the drama atm surrounding the issue.

I have been sending him messages with all the board threads and he is aware off all the issues peeps had.

For now he just tries to focus on the dev of the script and mainly figuring how they got in, we looked at the menu.php code and theres according ot us 0 that can be exploited.

In the first beta that is going out tonight menu.php is removed. Plus there will be some minor tweaks on it.

Just a FYI the menu.php file is tied into a lot of different files on comus so taking it out is a daunting task.

Hope to have some news shortly for you guys.

regards,

Ed

also theres gonna be a lot of moving around of folders and files in the script. this is all for added security.

google SE results should have been the bigger scare..

I just hope he won't miss something in the process and hence make the bigger problem.

unbelievable that this script still has so many fucking holes in it and that Tony never bothered to properly lock down this script after so many attacks over the years

anyone who uses comus still needs their head checked

well, what do you suggest Nurgle? Just switching over to something else? I've been tweaking my site for years to properly tune it. Also, sudden change of the links structure would have evident affect to SE rankings.

But, I think ST does better job in maintaining the productivity than CT, though.

so i need to get my head checked out, noted it down so i can make an appointment with my doctor later today...

tony pushed the first beta upgrade out last night when i was sleeping so my post is a bit late (i tend to sleep at odd hours)

Beta will kill menu.php from the ct folder.

it will copy htaccess htpasswd from your ept install (if present) to the ct admin dir and the templates folder to make em more secure.

these are only temp fixes atm.

easiest way to make ya secure, is to remove menu.php for now and htpasswd the admin dir.

Tony is resting atm after coding for over 18hours and will be going further into the code once he gets up again.

i tend to disagree, i switched an entire box over to smart thumbs and prod on smaller sites is simply horrifying. To me its like st was designed for bigger sites, small sites tend to have a hard time getting their prod right.

Woke up this morning and all of the sites that were blocked are now unblocked.. ;)

thank god..

what kind of prod booster do you use on your sites? I tried wide variety of prod boosters, but categories populated with less than 100 galleries tend to get their thumbs on the site more often, because of spin... i guess i'll have to move all my gals into one big category and set its spin to around 99% and see how it goes.