Hacked index pages with hidden keywords - Any idea?

[XPerties]

I've had a few clients on different servers where their index.html had html added to it but is only viewable if you view the page source. They aren't using any other script besides basic html. I have a hard set of mod_sec rules in place from gotroot.

Any idea how this is being done or anyone have any suggestions?

 

[ramprage]

Probably due to someone modifying user files. you probably have open_base protection off and phpsuexec off? Also what php versions are you running?

 

[jamesbond]

Probably due to someone modifying user files. you probably have open_base protection off and phpsuexec off? Also what php versions are you running?

Unless the index.html files have world write permissions or are owned by nobody how would one do that even without phpsuexec...

I believe openbase_dir and safe_mode are easily disabled with the ini_restore exploit for which php hasn't released an update yet.

 

[webignition]

I've had a few clients on different servers where their index.html had html added to it but is only viewable if you view the page source. They aren't using any other script besides basic html. I have a hard set of mod_sec rules in place from gotroot.

Any idea how this is being done or anyone have any suggestions?

Although I can't quite imagine how, the most likely cause to me would be some form of exploit.

If the relevant files haven't been modified since they were abused, you might want to try the following:

1) Check the file modification dates for the affected files
2) Check your www logs for suspicious-looking requests around the same time

This, at least, may help you in figuring out if an exploit was the cause.

 

[XPerties]

PHP Version 5.1.6 enabled with phpsuexec and open_basedir enabled for entire server.

9 out of 10 times the orginal index page is renamed and the new index page has embedded html after the </body></html>.

For example attached is what was placed in one client index.html file.

What log files would I search in, domlogs or main apache access logs?

 

[jamesbond]

I think you forgot the attachment Can you think of anything the affected accounts have in common? Frontpage extensions? Perhaps also check the cpanel access logs.

 

[XPerties]

I think you forgot the attachment Can you think of anything the affected accounts have in common? Frontpage extensions? Perhaps also check the cpanel access logs.

opps...

I've tried to find a common between them and havn't so far.

 

[jamesbond]

Well that's a way to increase link popularity, unbelievable. That type of hidden link spamming seems pretty popular lately. I know people had that happen with drupal sites, but I haven't read about static pages being modified this way.

Did you check the ftp logs also? If it is seemingly random there is a possibility that those clients' computers are infected with a trojan, which the spammers used to get into the account?

Since those spammers renamed the index files it must show in one of the various logs.

 

[chirpy]

You should also ensure that you have disabled dynamic library loading in PHP which can be abused to produce the issue you're seeing, in php.ini:

enable_dl = Off

Then restart httpd. If you use ioncube you'll have to load that from the main php.ini instead of locally in user accounts.

 

[XPerties]

You should also ensure that you have disabled dynamic library loading in PHP which can be abused to produce the issue you're seeing, in php.ini:

enable_dl = Off

Then restart httpd. If you use ioncube you'll have to load that from the main php.ini instead of locally in user accounts.

Chirpy,

We use zend with php and have ioncube off in whm but clients still need ioncube for some scripts which they load from their main account by uploading the encoders. Will I need to load the encoders for clients to use if this is off and I thought zend and ioncube were incompatible to be both loaded at the same time from the server side?

 

[driverC]

Same happened to me once. I wrote a perl script to automatically scan all html files and remove the content that was inserted by the hacker... I`ll see if I can find it.

 

[chirpy]

Chirpy,

We use zend with php and have ioncube off in whm but clients still need ioncube for some scripts which they load from their main account by uploading the encoders. Will I need to load the encoders for clients to use if this is off and I thought zend and ioncube were incompatible to be both loaded at the same time from the server side?

The ioncube loader in WHM isn't relevant - that's only for the cPanel PHP, not end-users.

You will need to install ioncube (it works perfectly find with zend opt) centrally. I use this method:

cd /usr/local/apache
wget http://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
tar -xzf ioncube_loaders_lin_x86.tar.gz
rm -fv ioncube_loaders_lin_x86.tar.gz
ls -la ioncube

pico -w /usr/local/lib/php.ini

Scroll down to the Dynamic Extensions section and add the line:

zend_extension="/usr/local/apache/ioncube/xxx"

Where xxx corresponds to your version of PHP that is installed from the ls output above. For example, for PHP v4.4.* use:

zend_extension="/usr/local/apache/ioncube/ioncube_loader_lin_4.4.so"

Exit and save and then check php is showing ioncube in:

php -v

Then restart httpd:

/scripts/restartsrv_httpd

 

[r00t pAsSw0rd]

I have ioincube loaded from main php.ini and client's software still complaining that dynamic loading libraries is turned off.

Any workaround for dl?

 

[chirpy]

Make sure they don't have a local php.ini trying to load ioncube in their web tree.

 

[SoftDux]

enabling open_basedir seems to break mod_usersdir (I think it's called)

Exmaple:

If you access say http://yourdomain.com/~username1 - you can see his folders, but the moment you enable open_basedir, you get permissions errors.

So, how does one work around this scenario?

 

[mctDarren]

You can disable open_basedir on a per domain basis from within WHM. Security > Tweak Security > Open Basedir > check the box under "Exclude" for each domain.

 

[SoftDux]

That's not quite feasible.

What we do, on signup, send out an email with instructions on how to use cPanel, and one of them mentions that the client can access their cPanel via http://www.ourdomain.com/~username, while the domain is being registered. This allows the client to start working on his website, while he waits for the domain

 

[Silver_2000]

Same happened to me once. I wrote a perl script to automatically scan all html files and remove the content that was inserted by the hacker... I`ll see if I can find it.

Did you find the Script ?
I need to clean some hacked html files
Willing to pay for working script
Doug

 

[ramprage]

I have a script that does this, contact me.

 

[SoftDux]

Can you please share your script with the rest of us?