Strange Virus On cPanel server

[rpmws]

I DONT understand why you keep ranting this chime. You keep saying the above, MANY CONTROL PANELS but as of yet you have not come forth with the MANY other control panels you claim as also affected. On the Directadmin forums for example there is one user and one only. On the Plesk forum i saw 2. Where are all the others? The balance is all cpanel.

this may be true ..but with a 5 to 1 market share the rest are going to be few and far between anyway.

[zigzam]

I DONT understand why you keep ranting this chime. You keep saying the above, MANY CONTROL PANELS but as of yet you have not come forth with the MANY other control panels you claim as also affected. On the Directadmin forums for example there is one user and one only. On the Plesk forum i saw 2. Where are all the others? The balance is all cpanel.

There are many more cpanel servers than plesk and da, so obviously more would get infected. I have even seen servers with no panel get infected. This is not control panel related.

[gotroot]

This exploit is being uploaded via FTP/SFTP which cpanel has integrated. The virus seeks out the FTP clients installed on your PC then it searches out the FTP passwords and usersnames. As soon as you FTP/SFTP to your box the virus is unleashed. Its a virus that is installed on your own PC and it infects and gathers all this information from your own PC to infect the next time you login to your server, website.

We have a client who has 5 boxes. His a site developer. He has all the logins and password to every websites on 5 boxes because they maintain all the websites. There are 70 sites on each box, not that many. His boxes were infected because he SFTP'ed to his clients websites to update the sites. Shortly thereafter, those sites were seeing random javascript injections.

They took the PC out of production reformatted and and recreated the FTP sites on their PC. The issue went away. After far as the server, who knows if its still infected but according to him this is how its being installed.

[zigzam]

This exploit is being uploaded via FTP/SFTP which cpanel has integrated. The virus seeks out the FTP clients installed on your PC then it searches out the FTP passwords and usersnames. As soon as you FTP/SFTP to your box the virus is unleashed. Its a virus that is installed on your own PC and it infects and gathers all this information from your own PC to infect the next time you login to your server, website.

We have a client who has 5 boxes. His a site developer. He has all the logins and password to every websites on 5 boxes because they maintain all the websites. There are 70 sites on each box, not that many. His boxes were infected because he SFTP'ed to his clients websites to update the sites. Shortly thereafter, those sites were seeing random javascript injections.

They took the PC out of production reformatted and and recreated the FTP sites on their PC. The issue went away. After far as the server, who knows if its still infected but according to him this is how its being installed.

You are referring to a different issue.

[cPanelTodd]

There appears to be a ton of confusion with this issue. There are a large amount of different javascript issues that can occur to a server and/or site. The random javascript toolkit can be found by using the steps laid out at http://www.cpanel.net/security/notes...s_toolkit.html

When running the command below on a server infected by the "Random Javascript Toolkit"

Code:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"

You will see the following output:

Code:

root@server log]# tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
<script language='JavaScript' type='text/javascript' src='ateyc.js'></script>
<script language='JavaScript' type='text/javascript' src='taopp.js'></script>

1311 packets captured
2627 packets received by filter

If the output differs from that from above, then you have a different issue on your hands. You can also run the command below to further confirm the issue.

Code:

grep /dev/mem /var/log/message*

Any output from the grep command above is evidence of the random js exploit. if the command finds no hits to /dev/mem in messages* then the server is not compromised by this toolkit and you will need to take a different route when investigating the issue.

These issues as well as any other javascript/virus issue are not directly related to cPanel and should be handled by your datacenter or a qualified admin unless directly requested by a cPanel tech.

[neo_user]

i am sad to say this but the exploit is back again even we have took all the prcautions which one can have and its back again on one of the server , guys got any clues or just need to follow the old way of fixing it which reinstalling the system pkgs ?

Regards

neo_user

[wkdwich]

i am sad to say this but the exploit is back again even we have took all the prcautions which one can have and its back again on one of the server , guys got any clues or just need to follow the old way of fixing it which reinstalling the system pkgs ?

Regards

neo_user

A number of reasons why it has returned.. choose one or more:
your server is infected
your PC(s) are infected
repeat the above choices

Seriously.. chances are the infection is still there or a reinfection occurred in one or the other and possibly in both.. let me tell you what happened and how I resolved it

I was at an airport wifi and uploaded one file to one account on the server, my wifi was sniffed..
By the time I got home from my trip, the clients site was infected with malicious code and they called saying there "was something wrong with the site", of course I went directly to see what was wrong using my browser.. at that point my PC got infected and I belive a key logger was installed locally. No matter what I did, change passwords change permissions, they got back in, each time doing more and more damage..

After 3 or 4 months of this, my PC was acting stranger and stranger alerting me I had some serious virus/Trojans and I brought it to my guru who could not get it clean.. he highly suggested I start with a new hard drive.. you must know what a pain that is, reinstalling and configuring all your software, but I had no choice..
Meanwhile on the server I SHUT FTP COMPLETELY and started to use only SFTP
I installed KeyScrambler to encrypt everything.. and only had one problem since September '07 when a cpanel update turned back on FTP.. within 2 hours they were back at it.. only gaining access to the sites I was too lazy to change passwords.. this tells me the logger they installed was gone from my system and they could no longer keep tabs on changed passwords..

If your problem is on the server then chances are every site on the server is infected.. sometimes these are only visible as the sites load, the view source will reveal nothing unusual.. sometimes the code is does not effect every visitor and these are more difficult to detect and sometimes a complete reinstall of the OS may be called for.

Chances are you have been flagged by google also "this site may contain code that is harmful to your computer, we suggest you do not proceed to this website" something like that is the wording.. You need to have a google webmaster tools account and you can see if your site has been flagged and when it is clean you can submit for a review..

Next you can and should visit
http://groups.google.com/group/stopbadware?hl=en
This group works closely with google identifying and helping webmasters rid the sites of code and stay clean.. there are several posts there (hehe one I made if I may be so bold to brag) that is at the top of the thread list explaining all what I said and more about how to hardenup your server and your PC to stay safe.. please read the posts there before you do anything else..

Keep an eye on an upcoming site:
http://hostexploit.blogspot.com/
Jart Armin has some fabulous information about how/why/when/where in reference to these injections..

Hope that helps..
Debbie

[pjman]

Debbie,

Thank you so much for sharing this experience. I have to say that every incidence I have seen of this was due to an initial local malware infection. I would say to look at everything on your local system that has ever connected via FTP first.

[wkdwich]

Debbie,

Thank you so much for sharing this experience. I have to say that every incidence I have seen of this was due to an initial local malware infection. I would say to look at everything on your local system that has ever connected via FTP first.

Well true and not true..

If the server was comprimised the same outcome would happen.. now was the server compromised because the host tech had a critter on their PC at work (or if they work remote at home) and they visited an injected/infected site via a browser.. yes it is very possible that is one method of infecting every site on the server..

There is a HUGE thread here on how to secure your server.. worth every minute of everyone's printing and reading and doing time..

My personal theory (may not hold water) is: webmasters around the world are visiting their own infected sites in browsers to see "whats going on" (as I stupidly did) and getting local infections.. WE are perpetuating the matter daily and expotentally

Today when a client calls and says they have a problem, my first jump is traight to SFTP not the borwser..

Oh and thanks for the props

[amal]

not sure whether we are going in the right direction...
The issue mentioned in FTP hack is a different one, where the index file is modified. Here even the index file is not modified.

If it was the FTP hack, the individual user's web files would have been modded.

[amal]

not sure whether we are going in the right direction...
The issue mentioned in FTP hack is a different one, where the index file is modified. Here even the index file is not modified.

If it was the FTP hack, the individual user's web files would have been modded.

Also, as per http://www.cpanel.net/security/notes...s_toolkit.html
it clearly mentions that binaries inside directories like /sbin are modified which can only be viewed after booting it on a live cd. So, the ftp issue you are mentioning is a completely different one, which I also had experienced.
Correct me, if I'm wrong.

[wkdwich]

Also, as per http://www.cpanel.net/security/notes...s_toolkit.html
it clearly mentions that binaries inside directories like /sbin are modified which can only be viewed after booting it on a live cd. So, the ftp issue you are mentioning is a completely different one, which I also had experienced.
Correct me, if I'm wrong.

No you are not wrong, I have 1st hand experience with FTP hacks as I noted.. neo_user never really said what hos problem was nor has he returned

A server compromised will indeed have binaries dropped or changed.. my experince is solely with the FTP "drive-by" injections of HTML and PHP pages

[amal]

Just to update everyone, I was able to resolve the problem by following the steps mentioned in http://www.cpanel.net/security/notes...s_toolkit.html

The files infected were

/sbin/ifconfig
/sbin/fsck
/sbin/route
/bin/basename
/bin/cat
/bin/mount
/bin/touch

After booting into a live cd, I just followed the procedures below to restore the original files.
PS: Here, I mentioned only the touch binary. You need to do it for each of the binaries infected.

Code:

localhost bin # ls -l touch*
-rwx------    1 root     root       553340 Mar 21  2007 touch
----------    1 root     root            0 Mar 28 12:27 touchq4hLyVO3nwGcSKciPHQ0
-rwxr-xr-x    1 root     root        40364 Mar 21  2007 touchuMkBvBegF7BtGK3S1bsC
localhost bin # rm -fv touchq4hLyVO3nwGcSKciPHQ0
removed `touchq4hLyVO3nwGcSKciPHQ0'
localhost bin # mv touch touch.hacked
localhost bin # mv touchuMkBvBegF7BtGK3S1bsC touch

After that, tcpdump did not show any more js scripts.

also upgraded the kernel on the server to the latest one, and reset the root password. Keeping my fingers crossed to see whether it'll be hacked again....

Hope, it doesn't...

[amal]

Just to update everyone, I was able to resolve the problem by following the steps mentioned in http://www.cpanel.net/security/notes...s_toolkit.html

The files infected were

/sbin/ifconfig
/sbin/fsck
/sbin/route
/bin/basename
/bin/cat
/bin/mount
/bin/touch

After booting into a live cd, I just followed the procedures below to restore the original files.
PS: Here, I mentioned only the touch binary. You need to do it for each of the binaries infected.

Code:

localhost bin # ls -l touch*
-rwx------    1 root     root       553340 Mar 21  2007 touch
----------    1 root     root            0 Mar 28 12:27 touchq4hLyVO3nwGcSKciPHQ0
-rwxr-xr-x    1 root     root        40364 Mar 21  2007 touchuMkBvBegF7BtGK3S1bsC
localhost bin # rm -fv touchq4hLyVO3nwGcSKciPHQ0
removed `touchq4hLyVO3nwGcSKciPHQ0'
localhost bin # mv touch touch.hacked
localhost bin # mv touchuMkBvBegF7BtGK3S1bsC touch

After that, tcpdump did not show any more js scripts.

also upgraded the kernel on the server to the latest one, and reset the root password. Keeping my fingers crossed to see whether it'll be hacked again....

Hope, it doesn't...

Just to make sure that there is no confusion, you'll be able to view these files, only if you boot into a live cd. The normal OS kernel won't show you the files, since the kernel is hacked.

[amal]

After all these solutions, one thing still remains a mystery - "How does the hacker gain access to the system firstly?"
The kernel of the server which was infected was 2.6.18-53.1.13.el5 which doesn't have any reported vulnerabilities.
Anyway, I have updated it to 2.6.18-53.1.14.el5 to be on the safer side.