Several Websites Compromised

P_W

Active Member
Oct 7, 2003
43
0
156
I've recently observed a slew of accounts "compromised" in the last two days that manifests itself as injections at the top of index.php in the root of random web directories. They don't appear to hit every home directory, but the injection is always exactly the same preg_replace nonsense you normally see on wordpress infections.

I'd normally chalk this up to wordpress, but this has only been on cpanel servers and two of them have no joomla/wordpress instances on any accounts on the entire box and were still compromised in exactly the same way.

All servers are auto-updating to 11.42.1.5 and most have the latest apache/php updates on instances that were vulnerable to heartbleed. On the 6 servers with compromised accounts, the index.php files that were updated were all done nearly simultaneously per the modified date. A couple other acquaintances that also do hosting had a slew of these happen on his cpanel boxes as well on accounts with no wordpress/joomla either, again only hitting seemingly random folders and not every account.

For kicks, I did a little forensic work on one account on a very low-volume server with a compromised account. This site is just a few pages of flat php with no back end at all and was also compromised in the exact same way. Domlogs show zero activity other than google scraping their page the entire day. The only other account on the server had no traffic anywhere near when the infection happened. Apache access log shows nothing, no other modified files anywhere in their folders anytime in the last 6 months other than the index.php file.

Something just seems odd. Different distros, different apache versions, no wordpress/joomla - some even completely flat websites - all infected in exactly the same way at exactly the same time.

Anyone else seen this behavior lately?
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Stat the affected files and reference the domlogs / FTP logs for the exact time stamps. Be sure to look for both the modify and change times as modify can be spoofed on non-compromised systems (change time can only be spoofed on a rooted box).

Make sure apache domlog retention is enabled (now default after many years of the default being erasing the domlogs every 24h).

Also be sure to check the cPanel access log too. Remember that one's in GMT, not the servers local time.

One random edge case, make sure the FTP server config does not allow auth to FTP accts with the root password.
 
Last edited:

P_W

Active Member
Oct 7, 2003
43
0
156
That's pretty much exactly what I did on the flat site as I figured it'd be a lot less noise to dig through. Plus, most of their site literally hasn't been updated since 2007.

It's not a web-based access thing as there was zero domlog access at the time of the infection. Also, this site is behind an .htaccess password so there is no public access to the site at all. I checked the FTP log, also nothing for that day, but the log wasn't entirely empty, which I took as a good sign.

No root to FTP.

I'm completely baffled. I'm in the process of assuming the servers are toast and just shuffling them onto newer boxes, which I've been putting off anyway, but it doesn't give me warm fuzzies and I don't have a lot of time to dig into it (or why the accounts seem random).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
You may want to review /usr/local/cpanel/logs/login_log to see if there are any signs of a brute force attack on the accounts.

Thank you.