The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked index pages with hidden keywords - Any idea?

Discussion in 'General Discussion' started by XPerties, Sep 13, 2006.

  1. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    I've had a few clients on different servers where their index.html had html added to it but is only viewable if you view the page source. They aren't using any other script besides basic html. I have a hard set of mod_sec rules in place from gotroot.

    Any idea how this is being done or anyone have any suggestions?
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Probably due to someone modifying user files. you probably have open_base protection off and phpsuexec off? Also what php versions are you running?
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Unless the index.html files have world write permissions or are owned by nobody how would one do that even without phpsuexec...

    I believe openbase_dir and safe_mode are easily disabled with the ini_restore exploit for which php hasn't released an update yet.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Although I can't quite imagine how, the most likely cause to me would be some form of exploit.

    If the relevant files haven't been modified since they were abused, you might want to try the following:

    1) Check the file modification dates for the affected files
    2) Check your www logs for suspicious-looking requests around the same time

    This, at least, may help you in figuring out if an exploit was the cause.
     
  5. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    PHP Version 5.1.6 enabled with phpsuexec and open_basedir enabled for entire server.

    9 out of 10 times the orginal index page is renamed and the new index page has embedded html after the </body></html>.

    For example attached is what was placed in one client index.html file.

    What log files would I search in, domlogs or main apache access logs?
     
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I think you forgot the attachment :) Can you think of anything the affected accounts have in common? Frontpage extensions? Perhaps also check the cpanel access logs.
     
  7. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA

    opps...

    I've tried to find a common between them and havn't so far.
     

    Attached Files:

    • html.txt
      File size:
      60.3 KB
      Views:
      122
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Well that's a way to increase link popularity, unbelievable. That type of hidden link spamming seems pretty popular lately. I know people had that happen with drupal sites, but I haven't read about static pages being modified this way.

    Did you check the ftp logs also? If it is seemingly random there is a possibility that those clients' computers are infected with a trojan, which the spammers used to get into the account?

    Since those spammers renamed the index files it must show in one of the various logs.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You should also ensure that you have disabled dynamic library loading in PHP which can be abused to produce the issue you're seeing, in php.ini:

    enable_dl = Off

    Then restart httpd. If you use ioncube you'll have to load that from the main php.ini instead of locally in user accounts.
     
  10. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA

    Chirpy,

    We use zend with php and have ioncube off in whm but clients still need ioncube for some scripts which they load from their main account by uploading the encoders. Will I need to load the encoders for clients to use if this is off and I thought zend and ioncube were incompatible to be both loaded at the same time from the server side?
     
  11. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Same happened to me once. I wrote a perl script to automatically scan all html files and remove the content that was inserted by the hacker... I`ll see if I can find it.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The ioncube loader in WHM isn't relevant - that's only for the cPanel PHP, not end-users.

    You will need to install ioncube (it works perfectly find with zend opt) centrally. I use this method:

    Code:
    cd /usr/local/apache
    wget http://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
    tar -xzf ioncube_loaders_lin_x86.tar.gz
    rm -fv ioncube_loaders_lin_x86.tar.gz
    ls -la ioncube
    pico -w /usr/local/lib/php.ini

    Scroll down to the Dynamic Extensions section and add the line:

    zend_extension="/usr/local/apache/ioncube/xxx"

    Where xxx corresponds to your version of PHP that is installed from the ls output above. For example, for PHP v4.4.* use:

    zend_extension="/usr/local/apache/ioncube/ioncube_loader_lin_4.4.so"

    Exit and save and then check php is showing ioncube in:

    php -v

    Then restart httpd:

    /scripts/restartsrv_httpd
     
  13. r00t pAsSw0rd

    r00t pAsSw0rd Active Member

    Joined:
    Sep 14, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I have ioincube loaded from main php.ini and client's software still complaining that dynamic loading libraries is turned off.

    Any workaround for dl?
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Make sure they don't have a local php.ini trying to load ioncube in their web tree.
     
  15. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    enabling open_basedir seems to break mod_usersdir (I think it's called)

    Exmaple:

    If you access say http://yourdomain.com/~username1 - you can see his folders, but the moment you enable open_basedir, you get permissions errors.

    So, how does one work around this scenario?
     
  16. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    You can disable open_basedir on a per domain basis from within WHM. Security > Tweak Security > Open Basedir > check the box under "Exclude" for each domain.
     
  17. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    That's not quite feasible.

    What we do, on signup, send out an email with instructions on how to use cPanel, and one of them mentions that the client can access their cPanel via http://www.ourdomain.com/~username, while the domain is being registered. This allows the client to start working on his website, while he waits for the domain :)
     
  18. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Did you find the Script ?
    I need to clean some hacked html files
    Willing to pay for working script
    Doug
     
  19. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I have a script that does this, contact me.
     
  20. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Can you please share your script with the rest of us?
     
Loading...

Share This Page