Hi to everyone.
1. About 'buggy' scanner. This fuckin kirgizian hacker changed the scanner itself, so it can't find some wrong files, like filter.php or tpupdater.php. Moreover, tpupdater can't update these important files because it's 'fixed' also.
Current file size of tpupdater.php is 14722 bytes (you can check it with the scanner), if this size match with your current -you're able to update the script to latest build. If size doesn't match - you have to use tpupdater.php from the our server and your 'problem' has old 'roots'.
For those who get hacked over and over again - I need your server logs to understand which hole is using, because it seems I left some shit uncleaned. Ifter analizing these logs I'll be know how to protect the servers once and forever.
I found a number of iframes and javascripts in pt_request - which appears to be a partner request form. Since they aren't validating info there, I would suspect they aren't validating it anywhere."
all info from the requests are htmlspecialchars'ed at least, so it can't be run in any case.
Anyway please provide me as much info as you get, both logs and pt_requets. Your help is very appreciated.
Next. I gonna code (done at 95%) external scanner (not for tp's files only). You'll run this scanner and it will scan all directories on the server recursively, seraching for shells and other shit using our signatures DB.
1. Now I'm waiting for logs for analize, only after this step I can clean the shit permanently.
2. If you can't update your copies (tpupdater filesize mismatch) - please use our х
http://www.scriptpulse.com/tpupdater.zip for the quick script repair
My emal is
kildoozer@scriptpulse.com