Hacked index pages with hidden keywords - Any idea?

XPerties

Well-Known Member
Apr 10, 2003
401
0
166
New Jersey, USA
I've had a few clients on different servers where their index.html had html added to it but is only viewable if you view the page source. They aren't using any other script besides basic html. I have a hard set of mod_sec rules in place from gotroot.

Any idea how this is being done or anyone have any suggestions?
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
Probably due to someone modifying user files. you probably have open_base protection off and phpsuexec off? Also what php versions are you running?
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
ramprage said:
Probably due to someone modifying user files. you probably have open_base protection off and phpsuexec off? Also what php versions are you running?
Unless the index.html files have world write permissions or are owned by nobody how would one do that even without phpsuexec...

I believe openbase_dir and safe_mode are easily disabled with the ini_restore exploit for which php hasn't released an update yet.
 

webignition

Well-Known Member
Jan 22, 2005
1,880
0
166
XPerties said:
I've had a few clients on different servers where their index.html had html added to it but is only viewable if you view the page source. They aren't using any other script besides basic html. I have a hard set of mod_sec rules in place from gotroot.

Any idea how this is being done or anyone have any suggestions?
Although I can't quite imagine how, the most likely cause to me would be some form of exploit.

If the relevant files haven't been modified since they were abused, you might want to try the following:

1) Check the file modification dates for the affected files
2) Check your www logs for suspicious-looking requests around the same time

This, at least, may help you in figuring out if an exploit was the cause.
 

XPerties

Well-Known Member
Apr 10, 2003
401
0
166
New Jersey, USA
PHP Version 5.1.6 enabled with phpsuexec and open_basedir enabled for entire server.

9 out of 10 times the orginal index page is renamed and the new index page has embedded html after the </body></html>.

For example attached is what was placed in one client index.html file.

What log files would I search in, domlogs or main apache access logs?
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
I think you forgot the attachment :) Can you think of anything the affected accounts have in common? Frontpage extensions? Perhaps also check the cpanel access logs.
 

XPerties

Well-Known Member
Apr 10, 2003
401
0
166
New Jersey, USA
jamesbond said:
I think you forgot the attachment :) Can you think of anything the affected accounts have in common? Frontpage extensions? Perhaps also check the cpanel access logs.

opps...

I've tried to find a common between them and havn't so far.
 

Attachments

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Well that's a way to increase link popularity, unbelievable. That type of hidden link spamming seems pretty popular lately. I know people had that happen with drupal sites, but I haven't read about static pages being modified this way.

Did you check the ftp logs also? If it is seemingly random there is a possibility that those clients' computers are infected with a trojan, which the spammers used to get into the account?

Since those spammers renamed the index files it must show in one of the various logs.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
You should also ensure that you have disabled dynamic library loading in PHP which can be abused to produce the issue you're seeing, in php.ini:

enable_dl = Off

Then restart httpd. If you use ioncube you'll have to load that from the main php.ini instead of locally in user accounts.
 

XPerties

Well-Known Member
Apr 10, 2003
401
0
166
New Jersey, USA
chirpy said:
You should also ensure that you have disabled dynamic library loading in PHP which can be abused to produce the issue you're seeing, in php.ini:

enable_dl = Off

Then restart httpd. If you use ioncube you'll have to load that from the main php.ini instead of locally in user accounts.

Chirpy,

We use zend with php and have ioncube off in whm but clients still need ioncube for some scripts which they load from their main account by uploading the encoders. Will I need to load the encoders for clients to use if this is off and I thought zend and ioncube were incompatible to be both loaded at the same time from the server side?
 

driverC

Well-Known Member
Jul 23, 2004
112
0
166
Same happened to me once. I wrote a perl script to automatically scan all html files and remove the content that was inserted by the hacker... I`ll see if I can find it.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
XPerties said:
Chirpy,

We use zend with php and have ioncube off in whm but clients still need ioncube for some scripts which they load from their main account by uploading the encoders. Will I need to load the encoders for clients to use if this is off and I thought zend and ioncube were incompatible to be both loaded at the same time from the server side?
The ioncube loader in WHM isn't relevant - that's only for the cPanel PHP, not end-users.

You will need to install ioncube (it works perfectly find with zend opt) centrally. I use this method:

Code:
cd /usr/local/apache
wget http://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
tar -xzf ioncube_loaders_lin_x86.tar.gz
rm -fv ioncube_loaders_lin_x86.tar.gz
ls -la ioncube
pico -w /usr/local/lib/php.ini

Scroll down to the Dynamic Extensions section and add the line:

zend_extension="/usr/local/apache/ioncube/xxx"

Where xxx corresponds to your version of PHP that is installed from the ls output above. For example, for PHP v4.4.* use:

zend_extension="/usr/local/apache/ioncube/ioncube_loader_lin_4.4.so"

Exit and save and then check php is showing ioncube in:

php -v

Then restart httpd:

/scripts/restartsrv_httpd
 

r00t pAsSw0rd

Active Member
Sep 14, 2006
32
0
156
I have ioincube loaded from main php.ini and client's software still complaining that dynamic loading libraries is turned off.

Any workaround for dl?
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
Same happened to me once. I wrote a perl script to automatically scan all html files and remove the content that was inserted by the hacker... I`ll see if I can find it.
Did you find the Script ?
I need to clean some hacked html files
Willing to pay for working script
Doug