The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

malware

Discussion in 'General Discussion' started by octeto, Jun 4, 2007.

  1. octeto

    octeto Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    cat /usr/local/cpanel/base/3rdparty/squirrelmail/index.php

    <?php

    /**
    * index.php
    *
    * Redirects to the login page.
    *
    * @copyright &copy; 1999-2006 The SquirrelMail Project Team
    * @license http://opensource.org/licenses/gpl-license.php GNU Public License
    * @version $Id: index.php,v 1.14.2.7 2006/02/03 22:27:46 jervfors Exp $
    * @package squirrelmail
    */

    // Are we configured yet?
    if( ! file_exists ( 'config/config.php' ) ) {
    echo '<html><body><p><strong>ERROR:</strong> Config file ' .
    <u style=display:none>
    <a href="http://www.taubetapi.org/d15/Tools_files/online/cialis/index.php">cialis</a><a href="http://www.taubetapi.org/d15/To$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/cialis/?page=11">cialis side effects</a><a href="http://www.taubetap$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/cialis/?page=21">free cialis</a><a href="http://www.taubetapi.org/d1$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/cialis/?page=32">cialis icos</a><a href="http://www.taubetapi.org/d1$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/cialis/?page=42">airfox cialis</a><a href="http://www.taubetapi.org/$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/soma/?page=2">buy soma online</a><a href="http://www.taubetapi.org/d$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/soma/?page=13">soma drug</a><a href="http://www.taubetapi.org/d15/To$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/soma/?page=24">soma 350mg</a><a href="http://www.taubetapi.org/d15/T$
    <a href="http://www.taubetapi.org/d15/Tools_files/online/soma/?page=35">soma cube</a><a href="http://www.taubetapi.org/d15/To$
    'configure SquirrelMail before you can use it.</p></body></html>';
    exit;
    }

    // If we are, go ahead to the login page.
    header('Location: src/login.php');

    ?>

    Any hints?

    I fixed reinstalling squirrelmail:
    /usr/local/cpanel/install/webmail

    Thanks,
     
  2. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Someone has used some sort of vulnerability to gain elevated privileges and most likely defaced a lot of your websites with similar code. My only recommendation is ensuring that all PHP applications are up to date, and any web forms you may be using are secure.
     
  3. octeto

    octeto Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    We are still working on this problem, many sites are "contaminated" but dont show hacked pages. We still cant find the malware or script rsponsible, any clues might help a lot.
     
  4. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    usually, for this type of malware worm (most likely it is worm) used stealed user ftp account:

    1) someone go to infected site and got infected.
    2) virus steal all passwords and send it to mailware drop site/server or just initiate ftp connection directly from infectred computer (but it is rare case)
    3) malware logs collected and stealed ftp accounts data sent to another part of malware which connect to server where user has account and upload some script which try replace/attach all index pages with own code (it may be javascript or just link insertion). usually it is perl script which run from /tmp partition and it try find all index.page and then attach to them his own link/code). After scripts finishing his work it can be removed itself.
    So, you first need check all index pages even that it is located not in /home partition (/usr/share/man for example probably will infected too) and cure it. then you need check ftp logs for finding any unusual file name which was uploaded. In most case you wil lsee ip address from HK or China ot Malaysia or Turkey. You may need also check apache logs because server may be was infected from web without ftp access. It is also possible if client use any vulnarable php or perl script. Usually , hacker/worm use for this .txt file which can be download to client accunt by php function from one of sites (usually from free hosting server). After that it again moved to /tmp and then everythink will continue as i described above.

    BTW. Do not touch to any attached link without strong antivirus protection enabled!
     
    #4 rustelekom, Jun 4, 2007
    Last edited: Jun 4, 2007
  5. octeto

    octeto Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Thanks a lot rustelekom

    Your diagnostic is similar to ours. Now some of the problems we are facing:

    1) for now we havent found the worm or the domain who let it in (we are starting the logsearch you suggested)

    2) The ammount of index files infected is huge so manual deletion is out of discussion. At this point we would like to know if you can recommend any tool available or else a specialized webservice for this cases. If we cant find this we would be forced to restore clean backups, but again its about 2000 domains

    3) One thing that makes it not SO serious is that this infection is mostly "harmless" in the way that the links inserted dont appear or affect most index files, so for now most clients havent detected the problem, this gives us some time for damage control. We suspect this worm intends to improve search results via link in other webs system.

    4) What tool or monitoring program can we use to avoid these problem in the future? Or at least to avoid such a massive spreading of it in a server?

    thanks again and we appreciate any further help
     
  6. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    1) I see. You can check when files was modified and according to date check all your logs. Sometimes it is not possible (if you rotate and delete httpd logs each day for exmaple)
    2) It's depend from how pages is infected. If in infected page attached some links and all of them is identical (i.e. it is something like:

    http://somedomain.com.index.htm

    then you can use standard nix tools like find, grep or sed and replace this code with something neutral. just search google for "sed delete last string" "sed replace string" or something else.

    3) yes it possible, so you need check not only index but other pages too. just to be sure that you are clean.

    4) this issue hard to preventing in systems where php installed as php_module. but, of course, you can use mod_security with latest ruleset for preventing inserting suspicious scripts from the web. you also may need check users folders with 777 permission (usually it is set for forums/portals upload, avatars folders. you can find here lot of php and cgi shell (they can used for virus insertion then). You may suggest to users use upload function on their forums only with premoderation.
    using tools like AIDE or TRIPPWARE can also help you with checking what happen in your /home partition. It will not prevent anything but will help you easily find which files was modify and where.

    Of course. all of this cannot prevent repeating issue if some of customer computer was infected and his ftp account data was stealed. If customer do not cure his computer, his account can be used for same deal again,
     
  7. octeto

    octeto Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the help!

    this is working:

    #!/bin/sh
    for file in /root/abc123a/public_html/coppermine/*
    do
    sed 's/taubetapi.org/hacked/g' $file > $file.new
    mv $file.new $file
    done
    exit 0


    Problem is the line for file... gives notice for folders, we need a recursive command to browse all the folders without identifying them separetely.

    We still havent found the origyn as well, we are contactiong several server management sites about this.
     
  8. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    for recursive findinig you may need use something like find

    find . -type f -print | xargs grep -li "search string"

    you only need copy send output of find comman to file and then add sed command to each string.

    REgards source of problem, i see your customer use coppermine - it is one of most popular scritps which frequently used foir uploading to server suspicious scripts. just check all uploads, avatars folders under users accounts and probably you will found here shell scripts. like a r57shell for example.
     
Loading...

Share This Page