need help preventing malicious spam .php scripts

[Bashed]

I've noticed random shared hosting users get affected (usually WP installs) by randomly named .php scripst that contain malicious spam mailing code.

Example, very similar to a handful I found today from various legitimate users:

- Removed -

Ran Rkhunter, similar results on 3 cPanel boxes:

    /sbin/ifdown                                             [ Warning ]
    /sbin/ifup                                               [ Warning ]
    /usr/bin/GET                                             [ Warning ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/whatis                                          [ Warning ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]
    Checking version of OpenSSL                              [ Warning ]

 

[quizknows]

I know you mean well, but the mods here prefer if you don't post malware samples.

Anyway, if the directory is something like wp-uploads and you don't need PHP files in there you can always try something like this in a .htaccess file inside of said directory to block access to them:

# Deny access to non-image files in images or other dir

<FilesMatch "\.(p(hp|hp3|hp4|hp5|l|html|hp.jpg))$">
  Deny from all
</FilesMatch>

Options -indexes

Anyway it comes down to getting the modify and change times (stat output) from the affected files, and digging through your domain access logs to find what file was POSTed to around that time. Many times that leads you to another malicious file and you repeat the process (stat it, check the logs). Also it's worth checking FTP logs and the cpanel access log for file manager access, but in most cases your answer is in the domain access logs given it's probably a CMS hack (outdated plugin, bad admin PW, or otherwise).

 

[Bashed]

The issue is that this happens to random users on a shared hosting server. There's hundreds of domain accounts, so I cannot sit there and figure out every directory, for every user and add this htaccess. I need some anti-malware, preventive measure of some sort on file uploads.

 

[quizknows]

The issue is that this happens to random users on a shared hosting server. There's hundreds of domain accounts, so I cannot sit there and figure out every directory, for every user and add this htaccess. I need some anti-malware, preventive measure of some sort on file uploads.

The .htaccess is only a temporary solution while you work to fix the site. It at least denies access to the malware in the interim.

I strongly recommend CXS as suggested by the previous poster. When set up correctly with modsecurity it will scan file uploads in real time and reject many malicious ones.

Again a true investigation requires digging through logs to find the file source. It's not quick or easy but that's where your answers are. Aside from that make people update their CMS software / plugins / passwords regularly if you can.

 

[cPanelMichael]

Hello

The advice in the previous post is the best approach to this type of issue. You may also want to consider consulting with a qualified system administrator if you are not comfortable reviewing log files and investigating the source of the issue.

Thank you.

 

[Bashed]

When set up correctly with modsecurity it will scan file uploads in real time and reject many malicious ones.

Yes I mentioned in my OP that I have CXS installed, but what is the proper way to set it up with mod security to prevent these type of file uploads? I'd appreciate that input.

 

[Bashed]

I just noticed the moderator not only removed the script example, but my list of security measures (including CXS mention) in my post. Not sure why they removed that portion, nothing private there

 

[quizknows]

Yes I mentioned in my OP that I have CXS installed, but what is the proper way to set it up with mod security to prevent these type of file uploads? I'd appreciate that input.

it 'should' have added this rule to your /usr/local/apache/conf/modsec2.user.conf :

# For CXS 
SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\
"log,auditlog,deny,severity:2,id:'1010101'"

To get it to work properly though there are a couple other steps. You need to configure /etc/cxs/cxscgi.sh and make a quarantine. This is how I do it:

# Create the quarantine:
cxs -Q /home/quarantine -qcreate

Then, open up /etc/cxs/cxscgi.sh and make ONLY ONE LINE UNCOMMENTED as follows:

/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"

Create your cron if it hasn't been done already, and restart cxs and apache:

ln -s  /etc/cxs/cxsdaily.sh /etc/cron.daily/cxsdaily.sh
/etc/init.d/cxswatch restart
/etc/init.d/httpd configtest # MAKE SURE THIS SAYS Syntax OK BEFORE RESTARTING
/etc/init.d/httpd restart

 

[Bashed]

it 'should' have added this rule to your /usr/local/apache/conf/modsec2.user.conf :

Blank. I've added it manually.

Side note, you mentioned opening /etc/cxs/cxscgi.sh two times. Confused. Was this a mistake?

Thanks for your help

 

[quizknows]

Blank. I've added it manually.

Side note, you mentioned opening /etc/cxs/cxscgi.sh two times. Confused. Was this a mistake?

Thanks for your help

I mention first that you will need to open it, the 2nd mention is what you actually need to do with that file.

the file should only have a single line that is uncommented, as outlined above.

 

[Bashed]

This is my cxsdaily.sh file now.

/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"

# Create the quarantine:
cxs -Q /home/quarantine -qcreate

/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"

 

[quizknows]

Your cxsdaily.sh doesn't need to create the quarantine. It should look something like this:

#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# Run this script via cron daily

# Daily update of cxs and/or fingerprint definitions
/usr/sbin/cxs --upgrade --quiet

# Daily cleanup of quarantine if used. Modify to specify your quarantine
# directory and duplicate if you use more than one.
#
# Set --qclean to the number of days to retain, e.g. 7 = one week

/usr/sbin/cxs --qclean 7 --quarantine /home/quarantine --quiet

Your /etc/cxs/cxscgi.sh should look like this:

#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The option --cgi MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
#/usr/sbin/cxs --quiet --cgi --smtp --mail root --quarantine /home/safe/ "$1"
#/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
#
# If you use --logfile, remember to chmod 666 [file] to allow write access
#
# You should include --smtp to allow the nobody user (which ModSecurity runs
# under) to send email.

/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"

The command "cxs -Q /home/quarantine -qcreate" you simply run one time from a shell as root (it won't hurt to run it again but you only need to do it one time).

Once that is done and the modsec rule is in modsec2.user.conf it should scan uploaded files now.