Back to main page for comus thumbs tgp script
This is a temporary page while the forums are down..but I might turn it into an RSS feed, of a kind of twitter to keep you up with what is going on over here.. sixzeros
UPDATE: Oct 10 - Todays patch adds a link under the [Tools] menu called [set password] which will place a login popup on top of your comus admin using basic authentication. This will block access to your files inside your comus admin and block potential hackers..

The best tool so far is still a grep 'eval' (see below) and then inspecting and quarantining those files that it finds, so far it's found all kinds of hacks in the systems that are not even related to comus, IE wordpress, and other script exploits. Be careful of course that you dont delete and modify important files. I'm flat out, but if you want to hire me to log in and audit your system for possible exploits.. hit me up in the ticket system.

UPDATE: Oct 09 - late day.. I released another patch to enable basic auth passwords for comus.. I realized when I woke up that the standard installer from within Comus admin wont actually install the password authentication. Instead to get that activated you'll need to use the installct.php method, where you place the installct.php file into your /ct folder, run the [UPGRADE] option instead of the [INSTALL] option. You will come to a page that asks to setup passwords for comus, choose a user name, and then a password. Now when comus loads you will have a login popup appear, and you'll then have the standard login for comus as well.. this will protect your templates and your admin folders and if the hackers have left any backdoors in your /ct folder anywhere, they wont be able to get access to them.
UPDATE: Oct 09 I found another hole last night and released a new patch, I'll keep you posted with updates here.. - sixzeros

UPDATE: Oct 08 - There's a new Security Patch for Comus up to fix the latest hacking... if you have troubles installing or upgrading then log into the epower trouble ticket system and get hold us there.. while we fix the hacked forum and move the rest of our sites over to a new server. And please allow us up to 12 hours to respond, we need sleep and food, coding time and time to help everyone out.

Epower / Comus Ticket System

The forums will be up again shortly....
UPDATE: Oct 4
Sorry, We've been battling a hacking for several days now.. they've compromised a lot of files, and we found a back door in the forum, so when I know it's safe I'll get it back up, shortly after we release the new security patch for comus.

Knock on wood, we do seem to have control of the server again... but we're still moving and securing things on the box, and still finding surprises..

We've been making some patches to comus to close what has been identified as the entry point, the current beta is stable, and you can install that if you need a quick solution, a full release should be up tomorrow after I test things fully, and add a few new security features.

If you've been affected by this attack you will want to do at least the following..
1. locate and remove any trojan files.
2. secure your system..
3. Repair status with google and get your domains cleared and off blacklists..

LOCATING THE TROJAN FILES:
The attack seems to target every php, shtml, html, txt, tmpl inc it can, and also drops backdoor .php files on the system of random names, and it seems to replicate itself all over the server finding writable files to modify.. It doesnt always inject itself successfully and will break files.. there are several things you can look for..
1. files that start with <?php $s=
2. files that contain <script> /**
3. files that contain 'eval' .(.. this one can create a lot of miss hits, but you can sift through them and find what should and shouldnt be there)

I used the following scripts via SSH to find damaged files...
create a file called findit and place this in it...the script will search recursively through all directories and tell you what files are infected..

This may not be the most elegant solution, as it might quarantine scripts that you actually want to keep, but you can quickly vacinate your pages by just putting all <script> tags into quarantine


The above script will vacinate a single folder.. you can then use the following to search for the vacinations, and edit them out..

Next take a close look at all those 'eval' containing files, you might find a trojan or potential trojan that you were not aware of.

2. SECURING YOUR SYSTEM:
The exploit reportedly comes in via the /ct/admin/menu.php file, so we patched it in the beta release, and effectively removed it. somehow they were able to place files on the system, and from there, they replicate themselves all over the server by targetting read/writable files. you can avoid attacks like this with basic authentication security... see here (all about basic authentication) you want to secure the /ct/admin and /ct/templates folders with a password. The new patch will have an option to do this..
TIP: a quick fix for comus users that use epower.. copy your .htaccess from your /ept/eptadmin folder into your /ct/admin and /ct/templates folders, your epower login will now also block access to your comus admin, and worms like this will not have an easy time to access your comus admin at all.

BLOCKING CHINA: A lot of the attacks are coming from compromised machines in china, as I've never done any business of any value with china, that I'm aware of, and most of us are never likely to sell any subscriptions to china and chinese speaking customers, we decided to completely block china from our servers..
We installed APF firewall..
Then pulled the chinese block list from http://www.wizcrafts.net/chinese-iptables-blocklist.htm While we were at it, we added spamhauses spam lists.. if you dont have root access then you can pull wizcrafts htaccess blocklist, and paste this into your .htaccess files.. .htaccess files to block china


MORE SECURE FILE PERMISSIONS:
It should be possible for comus to run fine as long as the /ct/templates folder and the /ct/dat folder are writable and all other files are non writable.. there should be .htaccess files within these data folders that block them from being viewed by the web, you will notice there are ALLOW FROM directives within these .htacccess files, this is okay, they are the values you entered into your access_control.php files.
you can try this..

Once you have set these permissions, most sites will not upgrade via the upgrade links inside the comus admin, you will have to download the tars and update the script via SSH instead or the method I ususally use is to temporarily set the whole /ct/ path to 777, using
#chmod 777 ct -Rf
then run the web update, and then set the permissions back to secure using the above method. I'm working on a new installer that will let you install using FTP and SSH. This should stop potential hackers from modifying the admin files if they get access to other parts of the server.

3.REPAIR STATUS WITH GOOGLE
When you get hacked like this, you can get blacklisted on google, but it's not too hard to get that cleared up, and it might actually improve your standing with them.. Go to google and open an account and then locate the 'webmaster tools'. Submit your site for review.. and just follow the instructions once you've submitted your site.. Now would be a good time to create a robots.txt file, and a sitemap.xml file, and generally clean your site up.. Make sure you've got your site cleaned up, run a quick scan on your database. I removed my toplists temporarily during the review phase, just in case any of the sites I was linked to were also hacked. For those of you trading traffic that's a tough audit, you can go through your toplist and run a check on all the sites on your list by feeding them into google and only keeping the ones that are not blocked.


I'll have more for you over the next upcoming week, as I get this more under control..

Regards Tony.