need help preventing malicious spam .php scripts

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
I've noticed random shared hosting users get affected (usually WP installs) by randomly named .php scripst that contain malicious spam mailing code.

Example, very similar to a handful I found today from various legitimate users:

Code:
- Removed -
Ran Rkhunter, similar results on 3 cPanel boxes:

Code:
    /sbin/ifdown                                             [ Warning ]
    /sbin/ifup                                               [ Warning ]
    /usr/bin/GET                                             [ Warning ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/whatis                                          [ Warning ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]
    Checking version of OpenSSL                              [ Warning ]
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I know you mean well, but the mods here prefer if you don't post malware samples.

Anyway, if the directory is something like wp-uploads and you don't need PHP files in there you can always try something like this in a .htaccess file inside of said directory to block access to them:

Code:
# Deny access to non-image files in images or other dir

<FilesMatch "\.(p(hp|hp3|hp4|hp5|l|html|hp.jpg))$">
  Deny from all
</FilesMatch>

Options -indexes
Anyway it comes down to getting the modify and change times (stat output) from the affected files, and digging through your domain access logs to find what file was POSTed to around that time. Many times that leads you to another malicious file and you repeat the process (stat it, check the logs). Also it's worth checking FTP logs and the cpanel access log for file manager access, but in most cases your answer is in the domain access logs given it's probably a CMS hack (outdated plugin, bad admin PW, or otherwise).
 
  • Like
Reactions: Infopro

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
The issue is that this happens to random users on a shared hosting server. There's hundreds of domain accounts, so I cannot sit there and figure out every directory, for every user and add this htaccess. I need some anti-malware, preventive measure of some sort on file uploads.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The issue is that this happens to random users on a shared hosting server. There's hundreds of domain accounts, so I cannot sit there and figure out every directory, for every user and add this htaccess. I need some anti-malware, preventive measure of some sort on file uploads.
The .htaccess is only a temporary solution while you work to fix the site. It at least denies access to the malware in the interim.

I strongly recommend CXS as suggested by the previous poster. When set up correctly with modsecurity it will scan file uploads in real time and reject many malicious ones.

Again a true investigation requires digging through logs to find the file source. It's not quick or easy but that's where your answers are. Aside from that make people update their CMS software / plugins / passwords regularly if you can.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

The advice in the previous post is the best approach to this type of issue. You may also want to consider consulting with a qualified system administrator if you are not comfortable reviewing log files and investigating the source of the issue.

Thank you.
 

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
When set up correctly with modsecurity it will scan file uploads in real time and reject many malicious ones.
Yes I mentioned in my OP that I have CXS installed, but what is the proper way to set it up with mod security to prevent these type of file uploads? I'd appreciate that input.
 

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
I just noticed the moderator not only removed the script example, but my list of security measures (including CXS mention) in my post. Not sure why they removed that portion, nothing private there
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Yes I mentioned in my OP that I have CXS installed, but what is the proper way to set it up with mod security to prevent these type of file uploads? I'd appreciate that input.
it 'should' have added this rule to your /usr/local/apache/conf/modsec2.user.conf :
Code:
# For CXS 
SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\
"log,auditlog,deny,severity:2,id:'1010101'"
To get it to work properly though there are a couple other steps. You need to configure /etc/cxs/cxscgi.sh and make a quarantine. This is how I do it:
Code:
# Create the quarantine:
cxs -Q /home/quarantine -qcreate
Then, open up /etc/cxs/cxscgi.sh and make ONLY ONE LINE UNCOMMENTED as follows:
Code:
/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
Create your cron if it hasn't been done already, and restart cxs and apache:

Code:
ln -s  /etc/cxs/cxsdaily.sh /etc/cron.daily/cxsdaily.sh
/etc/init.d/cxswatch restart
/etc/init.d/httpd configtest # MAKE SURE THIS SAYS Syntax OK BEFORE RESTARTING
/etc/init.d/httpd restart
 

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
it 'should' have added this rule to your /usr/local/apache/conf/modsec2.user.conf :
Blank. I've added it manually.

Side note, you mentioned opening /etc/cxs/cxscgi.sh two times. Confused. Was this a mistake?

Thanks for your help
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Blank. I've added it manually.

Side note, you mentioned opening /etc/cxs/cxscgi.sh two times. Confused. Was this a mistake?

Thanks for your help
I mention first that you will need to open it, the 2nd mention is what you actually need to do with that file.

the file should only have a single line that is uncommented, as outlined above.
 

Bashed

Well-Known Member
Dec 18, 2013
139
4
68
cPanel Access Level
Root Administrator
This is my cxsdaily.sh file now.

Code:
/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"

# Create the quarantine:
cxs -Q /home/quarantine -qcreate

/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Your cxsdaily.sh doesn't need to create the quarantine. It should look something like this:

Code:
#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# Run this script via cron daily

# Daily update of cxs and/or fingerprint definitions
/usr/sbin/cxs --upgrade --quiet

# Daily cleanup of quarantine if used. Modify to specify your quarantine
# directory and duplicate if you use more than one.
#
# Set --qclean to the number of days to retain, e.g. 7 = one week

/usr/sbin/cxs --qclean 7 --quarantine /home/quarantine --quiet

Your /etc/cxs/cxscgi.sh should look like this:

Code:
#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The option --cgi MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
#/usr/sbin/cxs --quiet --cgi --smtp --mail root --quarantine /home/safe/ "$1"
#/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
#
# If you use --logfile, remember to chmod 666 [file] to allow write access
#
# You should include --smtp to allow the nobody user (which ModSecurity runs
# under) to send email.

/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
The command "cxs -Q /home/quarantine -qcreate" you simply run one time from a shell as root (it won't hurt to run it again but you only need to do it one time).

Once that is done and the modsec rule is in modsec2.user.conf it should scan uploaded files now.