iframe / javascript hacks?

[casey]

Nope, we don't even allow that.

Some how they are getting the account password without even having a account on the server and not cracking them. But the only sites effected have php files.

I think they are using a php exploit to get the accounts password and ftping with it.

if they have a root access they would just do a find and replace for all index pages, and not waste time trying to ftp..

Hmm. Well, so much for that idea. I do hope someone figures out what's going on. I haven't had any problems since I upgraded MT, but now I'm worried again.

[DWHS.net]

I've asked before so sorry if anyone has posted this but:

Anyone now of a global command to find and replace code in a file.

/home I need to search every index.html file and remove a sniplet of code.

Something like:

find -name "index.html" -type f -print | xargs grep -e '.*code-here.*http' /dev/null

Thanks!

[casey]

I've asked before so sorry if anyone has posted this but:

Anyone now of a global command to find and replace code in a file.

/home I need to search every index.html file and remove a sniplet of code.

Something like:

find -name "index.html" -type f -print | xargs grep -e '.*code-here.*http' /dev/null

Thanks!

Not sure if it's exactly what you're looking for, but I used this script posted by dgbaker a while back:

http://forums.cpanel.net/showpost.ph...66&postcount=2

[Frankc]

After keep digging and digging I come up with 2 ip addresses that I am almost 100% sure are linked to this exploit, at least on my servers.

66.36.229.160
58.65.239.42

Thought it would be good idea to inform others too

[jack01]

Thanks for posting the IPs, however the fact is hackers are endlessly hopping from IP to IP from which to perform their exploits, so no matter how many IP are blocked off there are always new ones that will be used...ad infinitum (practically).

[Frankc]

After updating ALL passwords to much more difficult passwords only 3 sites was hacked into. Not sure whether it was before or after password change.

/var/log/messages

Apr 5 14:26:21 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:21 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [quickse]
Apr 5 14:26:25 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:26 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [terryd6]
Apr 5 14:26:27 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:30 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:30 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [hondekl]
Apr 5 14:26:31 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:35 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:36 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:37 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [praisef]
Apr 5 14:26:37 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:38 web1 pure-ftpd: (?@58.65.239.42) [INFO] malkael is now logged in
Apr 5 14:26:40 web1 pure-ftpd: (malkael@58.65.239.42) [NOTICE] /home/malkael///public_html/index.htm downloaded (18163 bytes, 1173.50KB/sec)
Apr 5 14:26:40 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:42 web1 pure-ftpd: (malkael@58.65.239.42) [NOTICE] /home/malkael//public_html/index.htm uploaded (18842 bytes, 24.48KB/sec)
Apr 5 14:26:43 web1 pure-ftpd: (malkael@58.65.239.42) [NOTICE] /home/malkael///public_html/index.html downloaded (12101 bytes, 92271.24KB/sec)
Apr 5 14:26:44 web1 pure-ftpd: (malkael@58.65.239.42) [NOTICE] /home/malkael//public_html/index.html uploaded (12780 bytes, 20.78KB/sec)
Apr 5 14:26:45 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:45 web1 pure-ftpd: (malkael@58.65.239.42) [INFO] Logout.
Apr 5 14:26:45 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [homewor]
Apr 5 14:26:46 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:47 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [action]
Apr 5 14:26:47 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:48 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [vipbin7]
Apr 5 14:26:49 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:49 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [western]
Apr 5 14:26:51 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:52 web1 last message repeated 2 times
Apr 5 14:26:53 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:26:53 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [therfid]
Apr 5 14:26:54 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:26:59 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:27:02 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:03 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [wanniap]
Apr 5 14:27:03 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:04 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [samex4d]
Apr 5 14:27:05 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:05 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [newvoic]
Apr 5 14:27:08 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:27:09 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:09 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [jimmy8e]
Apr 5 14:27:10 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:27:10 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:10 web1 pure-ftpd: (?@58.65.239.42) [WARNING] Authentication failed for user [jimmy8c]
Apr 5 14:27:11 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.
Apr 5 14:27:11 web1 pure-ftpd: (?@58.65.239.42) [INFO] New connection from 58.65.239.42
Apr 5 14:27:11 web1 pure-ftpd: (?@58.65.239.42) [INFO] forefro is now logged in
Apr 5 14:27:13 web1 pure-ftpd: (?@58.65.239.42) [INFO] Logout.

With above it is clear that it is a bot that try to login to ftp accounts and if succeed, download the file and almost immediately upload it again with the script inside.

[easyhoster1]

Looks like the offending IP is from Hong Kong,

inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20060612
changed: hm-changed@apnic.net 20060613
changed: hm-changed@apnic.net 20061018
source: APNIC

person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: ipadmin@hostfresh.com 20070329
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC

Also, block the ip in your firewall and change in the pure-ftp.conf file for allowed connections to 1 from the same IP,

# Maximum number of sim clients with the same IP address

MaxClientsPerIP 1

Then restart your FTP server, this will help the load on your sever.

[jack01]

easyhoster1,

and change in the pure-ftp.conf file for allowed connections to 1 from the same IP

This seems unnecessary unless you are worried about DOS attacks, but that is not the issue here.

Again, I believe the location of the IP address in question is almost arbitrary as per my previous quote.

[easyhoster1]

easyhoster1,



This seems unnecessary unless you are worried about DOS attacks, but that is not the issue here.

Again, I believe the location of the IP address in question is almost arbitrary as per my previous quote.

Correct, but at least it will stop the probes from continuing in the mean time. The FTP server will start refusing the connections, as you can see, the IP is re-connecting every two seconds to the ftp server.

[jack01]

No, firewalling the IP will stop it in its tracks from doing ANYTHING via tcp - this is good.

The FTP config change you suggested should not be indicated here and is superfluous to the subject at hand.

[mydomain]

Spent a day or two running scripts to clear iframe code inserted into a lot of accounts across a couple of cPanel servers, all html files with iframe code inserted at the end.

Anyone had any further luck finding out what is causing this, or does anyone known how to block this with a modsecurity ruleset if its happening via that route?

TIA
Mike

[jack01]

mydomain,

Some suspect a hole still in cpanel, some suspect a hole in php.. but alas there are as yet no proper answers to this mystery!

Please can you provide your cpanel, php, mysql, ftp versions?

[brianoz]

Please can you provide your cpanel, php, mysql, ftp versions?

I'm entirely unconvinced it's a hole in cpanel based on what I've seen so far.

As well as cpanel, php, mysql and ftp versions could you also mention whether you are using php_suexec, suexec, mod_security (what ruleset), etc. So ... this is what we need - copy and paste this into your response:

Cpanel version:
PHP version:
MySQL version:
FTP version: Proftpd/Pureftp version:
PHPsuexec: Y/N
Mod_security: Y/N ruleset:
Other PHP security (eg openbasedir etc):
Suexec: Y/N
Firewall if any: APF / CSF

CSF may help with this if something is brute forcing the passwords.

[amal]

We are also facing the same problem,,
Multiple servers with different rp secured to the peak are being hacked using this method.
Logs in using FTP on multiple accounts ------ downloads index.php ------- uploads hacked index.php
This is a very very serious problem.... Ideas invited ...

[amal]

We are also facing the same problem,,
Multiple servers with different rp secured to the peak are being hacked using this method.
Logs in using FTP on multiple accounts ------ downloads index.php ------- uploads hacked index.php
This is a very very serious problem.... Ideas invited ...

I'll mention a few interesting characteristics of this hack...

1) It happens to a wide range of accounts. It happens on more than one server with different passwords as the root passwords.
2) Only method of hack used is ftp.
3) The hacked accounts do not fall under any specific resellers
4) Pure-ftpd, cpanel, kernel php, apache are all updated to their latest versions on the server being hacked.
5) No unauthorized root logins.
6) FTP Access to different accounts from the same ip. Once we block the ip, the hack continues from a different ip after a couple of days.
7) FTP Login in the very first attempt. no Brute force attempts.
8) For the hacker ip, No other logs other than /var/log/messages ( ftp logs ), and domlogs ( only ftp logs ). No trace in cpanel access logs or on any other logs.
9) A sample source ip of this kind of hack is 84.16.230.108
10) This happens for accounts with strong passwords as well.

One of the reasons why this is occurring could be because, the users specify their main cpanel username/password for accessing databases of php applications. Once phpshell is uploaded into the server, we can easily retrieve such passwords. But I have seen this occur on accounts which do not use the main cpanel username/password for accessing the mysql databases.

This is a very critical problem. If anyone faced similar issues and got any idea about how the hackers are retrieving ftp passwords for multiple accounts, please post your ideas.