The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

need help preventing malicious spam .php scripts

Discussion in 'Security' started by Bashed, Jan 7, 2016.

  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I've noticed random shared hosting users get affected (usually WP installs) by randomly named .php scripst that contain malicious spam mailing code.

    Example, very similar to a handful I found today from various legitimate users:

    Code:
    - Removed -
    
    Ran Rkhunter, similar results on 3 cPanel boxes:

    Code:
        /sbin/ifdown                                             [ Warning ]
        /sbin/ifup                                               [ Warning ]
        /usr/bin/GET                                             [ Warning ]
        /usr/bin/ldd                                             [ Warning ]
        /usr/bin/whatis                                          [ Warning ]
        Checking if SSH root access is allowed                   [ Warning ]
        Checking /dev for suspicious file types                  [ Warning ]
        Checking for hidden files and directories                [ Warning ]
        Checking version of OpenSSL                              [ Warning ]
     
    #1 Bashed, Jan 7, 2016
    Last edited by a moderator: Jan 7, 2016
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I know you mean well, but the mods here prefer if you don't post malware samples.

    Anyway, if the directory is something like wp-uploads and you don't need PHP files in there you can always try something like this in a .htaccess file inside of said directory to block access to them:

    Code:
    # Deny access to non-image files in images or other dir
    
    <FilesMatch "\.(p(hp|hp3|hp4|hp5|l|html|hp.jpg))$">
      Deny from all
    </FilesMatch>
    
    Options -indexes
    
    Anyway it comes down to getting the modify and change times (stat output) from the affected files, and digging through your domain access logs to find what file was POSTed to around that time. Many times that leads you to another malicious file and you repeat the process (stat it, check the logs). Also it's worth checking FTP logs and the cpanel access log for file manager access, but in most cases your answer is in the domain access logs given it's probably a CMS hack (outdated plugin, bad admin PW, or otherwise).
     
    Infopro likes this.
  3. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    The issue is that this happens to random users on a shared hosting server. There's hundreds of domain accounts, so I cannot sit there and figure out every directory, for every user and add this htaccess. I need some anti-malware, preventive measure of some sort on file uploads.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The .htaccess is only a temporary solution while you work to fix the site. It at least denies access to the malware in the interim.

    I strongly recommend CXS as suggested by the previous poster. When set up correctly with modsecurity it will scan file uploads in real time and reject many malicious ones.

    Again a true investigation requires digging through logs to find the file source. It's not quick or easy but that's where your answers are. Aside from that make people update their CMS software / plugins / passwords regularly if you can.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The advice in the previous post is the best approach to this type of issue. You may also want to consider consulting with a qualified system administrator if you are not comfortable reviewing log files and investigating the source of the issue.

    Thank you.
     
  6. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Yes I mentioned in my OP that I have CXS installed, but what is the proper way to set it up with mod security to prevent these type of file uploads? I'd appreciate that input.
     
  7. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I just noticed the moderator not only removed the script example, but my list of security measures (including CXS mention) in my post. Not sure why they removed that portion, nothing private there
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    it 'should' have added this rule to your /usr/local/apache/conf/modsec2.user.conf :
    Code:
    # For CXS 
    SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\
    "log,auditlog,deny,severity:2,id:'1010101'"
    
    To get it to work properly though there are a couple other steps. You need to configure /etc/cxs/cxscgi.sh and make a quarantine. This is how I do it:
    Code:
    # Create the quarantine:
    cxs -Q /home/quarantine -qcreate
    
    Then, open up /etc/cxs/cxscgi.sh and make ONLY ONE LINE UNCOMMENTED as follows:
    Code:
    /usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
    
    Create your cron if it hasn't been done already, and restart cxs and apache:

    Code:
    ln -s  /etc/cxs/cxsdaily.sh /etc/cron.daily/cxsdaily.sh
    /etc/init.d/cxswatch restart
    /etc/init.d/httpd configtest # MAKE SURE THIS SAYS Syntax OK BEFORE RESTARTING
    /etc/init.d/httpd restart 
    
     
  9. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Blank. I've added it manually.

    Side note, you mentioned opening /etc/cxs/cxscgi.sh two times. Confused. Was this a mistake?

    Thanks for your help
     
    #9 Bashed, Jan 8, 2016
    Last edited: Jan 8, 2016
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I mention first that you will need to open it, the 2nd mention is what you actually need to do with that file.

    the file should only have a single line that is uncommented, as outlined above.
     
  11. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    This is my cxsdaily.sh file now.

    Code:
    /usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
    
    # Create the quarantine:
    cxs -Q /home/quarantine -qcreate
    
    /usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Your cxsdaily.sh doesn't need to create the quarantine. It should look something like this:

    Code:
    #!/bin/sh
    ###############################################################################
    # Copyright 2009-2015, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # Run this script via cron daily
    
    # Daily update of cxs and/or fingerprint definitions
    /usr/sbin/cxs --upgrade --quiet
    
    # Daily cleanup of quarantine if used. Modify to specify your quarantine
    # directory and duplicate if you use more than one.
    #
    # Set --qclean to the number of days to retain, e.g. 7 = one week
    
    /usr/sbin/cxs --qclean 7 --quarantine /home/quarantine --quiet
    
    

    Your /etc/cxs/cxscgi.sh should look like this:

    Code:
    #!/bin/sh
    ###############################################################################
    # Copyright 2009-2015, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # The option --cgi MUST be used on the cxs command line here
    #
    # Examples (only use ONE line for cxs scanning):
    #/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
    #/usr/sbin/cxs --quiet --cgi --smtp --mail root --quarantine /home/safe/ "$1"
    #/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
    #
    # If you use --logfile, remember to chmod 666 [file] to allow write access
    #
    # You should include --smtp to allow the nobody user (which ModSecurity runs
    # under) to send email.
    
    /usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
    
    
    The command "cxs -Q /home/quarantine -qcreate" you simply run one time from a shell as root (it won't hurt to run it again but you only need to do it one time).

    Once that is done and the modsec rule is in modsec2.user.conf it should scan uploaded files now.
     
Loading...

Share This Page