The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple cPanel Servers Hacked with Iframe Injection JavaScript Apache Modules

Discussion in 'Security' started by Wheeler, Jun 11, 2013.

  1. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    This morning I received a few emails from clients alerting me that some of their customers anti virus programs (Avast and Kapersky etc) has been alterting them that their website were malicious.

    I checked all of the reported website and they appeared clean, although AVG Threat Labs was showing one site infected with an Invisible Iframe Injection javascript and listed a few .js files.

    I checked the listed .js files and they were all clean. I then logged in to the server as root and found that I didn't see the usual 'last logged in on...' message, and then found that .bash_history had been cleared. I run CSF on my servers so searched for root login notification messages and noticed that both of my servers had a root login from 94.23.156.232 on the 7th of June (4 days ago).

    I ran rkhunter of both servers and found nothing. I then found a stackoverflow question/answer which suggested it could be an apache module. (security - iFrame Injection Attack Followed us to New Server - Stack Overflow)

    Both servers had a apache module which wasnt owned by any package and which I didn't recognise, although they had different filenames. I ran

    rpm -qf /etc/httpd/modules/*

    to find these, and on one server the module was mod_bench.so and on the other it was mod_domains.so

    Googleing these didnt turn up and results and they were being loaded via /etc/httpd/conf/httpd.conf using LoadModule - so I removed that line and restarted apache.

    What I'm concerend about is:

    I can't delete the module file from /etc/httpd/modules/mod_bench.so and /etc/httpd/modules/mod_domains.so

    I've tried the following:

    Code:
    root@***** [/etc/httpd/modules]# ls -al
    total 28820
    drwxr-xr-x  2 root root     4096 Nov 26  2012 ./
    drwxr-xr-x 17 root root     4096 Nov 26  2012 ../
    -rw-r--r--  1 root root     9170 Nov 26  2012 httpd.exp
    -rwxr-xr-x  1 root root 27955649 Nov 26  2012 libphp5.so*
    -rwxr-xr-x  1 root root    47776 Nov 26  2012 mod_bench.so*
    -rwxr-xr-x  1 root root     9433 Nov 26  2012 mod_bwlimited.so*
    -rwxr-xr-x  1 root root     5776 Nov 26  2012 mod_disable_suexec.so*
    -rwxr-xr-x  1 root root    14509 Nov 26  2012 mod_fastinclude.so*
    -rwxr-xr-x  1 root root  1340297 Nov 26  2012 mod_security2.so*
    -rwxr-xr-x  1 root root    60327 Nov 26  2012 mod_suphp.so*
    
    root@***** [/etc/httpd/modules]# rm mod_bench.so
    rm: remove regular file `mod_bench.so'? y
    rm: cannot remove `mod_bench.so': Permission denied
    
    root@***** [/etc/httpd/modules]# lsattr mod_bench.so
    ------------- mod_bench.so
    
    root@linux1 [/etc/httpd/modules]# chattr -ia mod_bench.so
    root@linux1 [/etc/httpd/modules]# rm mod_bench.so
    rm: remove regular file `mod_bench.so'? y
    rm: cannot remove `mod_bench.so': Permission denied
    
    root@***** [/etc/httpd/modules]# stat mod_bench.so
      File: `mod_bench.so'
      Size: 47776           Blocks: 96         IO Block: 4096   regular file
    Device: 813h/2067d      Inode: 12452396    Links: 1
    Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2013-06-11 16:34:00.000000000 +0100
    Modify: 2012-11-26 14:56:06.000000000 +0000
    Change: 2013-06-11 17:38:48.000000000 +0100
    

    I also have no idea how the hacker managed to login to two servers within minutes using the root password. I've now reset both root passwords, as well as passwords to my personal online accounts (Gmail, Dropbox etc).

    A little more info about the servers, and things which they have in common. Please note I'm not pointing fingers here - just mentioning things they have in common incase anyone else has had similar issues.

    Both servers are cPanel 11.38.0
    One uses mod_php (with mod_security) and one uses mod_fcgid
    Both have SSH on port 22, with remote root logins permitted (bad I know - I will be changing this!)
    One other person has the root password to one of the servers, but only I have the root password to both
    Both servers are dedicated servers hosted by UK2
    Both servers have previously has support tickets issued to UK2 with the current root passwords
    I believe some support tickets may have been handled by Supreme Support who are used as UK2's 'Fully Managed' server support provider.

    I also know of another server owner who I believe may have the same infection on his server, which has an almost identical setup to mine (cpanel, UK2, Supreme Support etc)

    I've also checked for modified ssh binaries and they seem to be OK.

    Is there anything else I should be looking for, anyone else had similar issues, and how can I get rid of those modules.

    Thanks,

    - Chris
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    If your server has been rooted this it's a good idea to consider backing up the accounts to another location or drive, reinstalling the Operating System, and then reinstalling cPanel/restoring the accounts. Otherwise, there is potential that additional exploits are stored on the server.

    Thank you.
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It sounds like the root password was compromised somehow?
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Totally agree with you guys, if hacking has been done on root level then it will be good to restore server accounts with new OS and fresh setup.
     
  5. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Thanks for the replies. Nothing has re-appeared on the servers yet.

    I am in the process or migrating to another provider so both servers are due to be decommissioned in the next few months. I will keep a very close eye on them until all sites have been moved to the new provider.
     
  6. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Same thing just happened here.

    Got one server I caught it while they were still logged in. Just changed passwords on all my servers.

    Sending you a PM
     
  7. Hedloff

    Hedloff Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    100
    Likes Received:
    2
    Trophy Points:
    18
    We also had once incident with this and are now migrating all accounts over to new servers.
    You should also contact avast after the accounts are moved/restored :)
     
  8. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    A quick update on this incase anyone finds it while searching for similar problems.

    EasyApache was not able to run with the mod_bench.so file in place, so I did a bit more digging and found that the /usr/local/apache/modules directory also had +ia attributes.

    I removed these and the updated worked, and I was able to delete the malicious file.
     
Loading...

Share This Page