The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Several Websites Compromised

Discussion in 'Security' started by P_W, Apr 19, 2014.

  1. P_W

    P_W Active Member

    Joined:
    Oct 7, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I've recently observed a slew of accounts "compromised" in the last two days that manifests itself as injections at the top of index.php in the root of random web directories. They don't appear to hit every home directory, but the injection is always exactly the same preg_replace nonsense you normally see on wordpress infections.

    I'd normally chalk this up to wordpress, but this has only been on cpanel servers and two of them have no joomla/wordpress instances on any accounts on the entire box and were still compromised in exactly the same way.

    All servers are auto-updating to 11.42.1.5 and most have the latest apache/php updates on instances that were vulnerable to heartbleed. On the 6 servers with compromised accounts, the index.php files that were updated were all done nearly simultaneously per the modified date. A couple other acquaintances that also do hosting had a slew of these happen on his cpanel boxes as well on accounts with no wordpress/joomla either, again only hitting seemingly random folders and not every account.

    For kicks, I did a little forensic work on one account on a very low-volume server with a compromised account. This site is just a few pages of flat php with no back end at all and was also compromised in the exact same way. Domlogs show zero activity other than google scraping their page the entire day. The only other account on the server had no traffic anywhere near when the infection happened. Apache access log shows nothing, no other modified files anywhere in their folders anytime in the last 6 months other than the index.php file.

    Something just seems odd. Different distros, different apache versions, no wordpress/joomla - some even completely flat websites - all infected in exactly the same way at exactly the same time.

    Anyone else seen this behavior lately?
     
    #1 P_W, Apr 19, 2014
    Last edited by a moderator: Apr 20, 2014
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Stat the affected files and reference the domlogs / FTP logs for the exact time stamps. Be sure to look for both the modify and change times as modify can be spoofed on non-compromised systems (change time can only be spoofed on a rooted box).

    Make sure apache domlog retention is enabled (now default after many years of the default being erasing the domlogs every 24h).

    Also be sure to check the cPanel access log too. Remember that one's in GMT, not the servers local time.

    One random edge case, make sure the FTP server config does not allow auth to FTP accts with the root password.
     
    #2 quizknows, Apr 19, 2014
    Last edited: Apr 19, 2014
  3. P_W

    P_W Active Member

    Joined:
    Oct 7, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    That's pretty much exactly what I did on the flat site as I figured it'd be a lot less noise to dig through. Plus, most of their site literally hasn't been updated since 2007.

    It's not a web-based access thing as there was zero domlog access at the time of the infection. Also, this site is behind an .htaccess password so there is no public access to the site at all. I checked the FTP log, also nothing for that day, but the log wasn't entirely empty, which I took as a good sign.

    No root to FTP.

    I'm completely baffled. I'm in the process of assuming the servers are toast and just shuffling them onto newer boxes, which I've been putting off anyway, but it doesn't give me warm fuzzies and I don't have a lot of time to dig into it (or why the accounts seem random).
     
  4. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page