Virus infected server and no real help from support

[vivaciti]

Well we got ourselves a nice shock today. It would seem we have a virus on our dedicated server, that is causing a web page redirect to a spoof anti virus software page.

So we of course speak with support, asking how this could happen and are really given a blank other than "you will need to take a complete backup of the server scan the backup for virus and then re-upload it, of course if there is already a virus on the server then backing up the data cleaning it and then re-uploading it is not going to clear the virus from the server.

Well as support are not very helpful on this, anyone got any ideas on the best way forward with cleaning our "so called" managed server ourselves.

Cheers

[Welshy]

one of our dedi`s got hit too.... you will find its only the .htaccess thats been replaced

there is a range of IP`s that you can add to CSF if your running it...

feel free to pm me if you want

[AlexP]

Hello vivaciti,

While investigating hacking issue on your server I found that there are lots of your cpanel accounts are hacked and he had replaced the .htaccess file using FTP, Here list of ips

66.6.63.2
66.6.63.3
66.6.63.4
66.6.63.5
66.6.63.6

I'll send all affected users list to your billing email address kindly please change it's cpanel password as soon as possible and set it complicated using some special character . I am in process to restore all these .htaccess file I'll update you once it done.

[Welshy]

hey alex... good day..

Alex helped me out a great deal yesterday.... do you think this is more like a vulnerability in cpanel?? there has to be a trend somewhere if others are experiencing this too.

vivaciti... when did this happen on yours?

[AlexP]

hey alex... good day..

Alex helped me out a great deal yesterday.... do you think this is more like a vulnerability in cpanel?? there has to be a trend somewhere if others are experiencing this too.

vivaciti... when did this happen on yours?

Hello Lance,
There are lots of servers are defaced from these ips all over the world.

[Welshy]

yes, hence wondering if theres a common point of entry....

eg is it since the cpanel 11.25 upgrades? is there a hole in thier cod ethat may have allowed entry... vivaciti, what whm/cpanel are you using?

[AlexP]

yes, hence wondering if theres a common point of entry....

eg is it since the cpanel 11.25 upgrades? is there a hole in thier cod ethat may have allowed entry... vivaciti, what whm/cpanel are you using?

Hello Lance,
No, it is not cpanel version issue, All these things happens because of weak CPanel password which is easily hacked so it is always better to set the complicated password using Cpanel password generator option.

[AlexP]

Hello,
Also one more thing, we have blocked all these IPs at our core routers end & I hope they won't deface any more servers henceforth.

[texterted]

Hello,
Also one more thing, we have blocked all these IPs at our core routers end & I hope they won't deface any more servers henceforth.

Nice one Alex, thanks!

[vivaciti]

admititdlt our own cpanel although strong is not ver strong, but some of the other sites effected had cpanel passwords system generated as very strong.

[Welshy]

we found the same....

[vivaciti]

Getting the run around now, had it happen several times today, last time was told it was fixed but had to disable all FTP,
OK, no problem. couple of hours later got reports it's back again, and some numpty on live chat tells me our ticket has been replied to and it all sorted, I check the tickets and found the last update from from just after lunch when it was fixed the last time and trying to explain that this live chat is after that ticket reply, and I started live chat with the hack is back, should have told him that it has returned, but he don't seem to get it, and the 24x7 phones don't work either, so now I suppose we are just stuffed until after xmas!

We pay a little extra for 24hour support, but if this is what we are going to get, we may as well save ourselves some money and move to a different company with 9-5

It's a joke, although a google does not bring this issue up for anyone other than eukhost although we are told it is happening to everyone, well if that was the case I would have thought we may have heard from other hosts and in different forums!

[AlexP]

Hello,

While investigating the logs on your server I found that the majority of compromises come from compromised user accounts. There are plenty of scanners out there that look for vulnerable software like old wordpress, joomla, etc. Usually when they scan, they check entire netblocks, which would explain why multiple servers of yours may have been hit in short order. Many users utilize the same password for SQL as they do for cPanel login, because they don't think about the security implications. Then when their application is compromised, the attacker gets access to cPanel.

We recommend you change your user's passwords (ftp, cPanel, etc) as a first measure, and you scan your server with anti-malware software (like clamav with appropriate definitions, etc).

The IP used to attack the ftp accounts also was found to be scanning for exploits on the server. Example:

[Tue Dec 01 05:17:51 2009] [error] [client 66.96.128.60] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:leng th|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\ \bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(? :to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro| sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makew ebtask)|ql_(? ..." at ARGS:extid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "92"] [id "950001"] [msg "SQL Injection Attack"] [data "union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.xyx.com"] [uri "/components/com_jcalpro/cal_popup.php"] [unique_id "4TY@q06Bw2QAAGP-LLsAAAAM"]
[Tue Dec 01 05:17:51 2009] [error] [client 66.96.128.60] File does not exist: /home/bembridg/public_html/406.shtml
[Tue Dec 01 05:17:52 2009] [error] [client 66.96.128.60] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:leng th|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\ \bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(? :to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro| sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makew ebtask)|ql_(? ..." at ARGS:extid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "92"] [id "950001"] [msg "SQL Injection Attack"] [data "union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.xyx.com"] [uri "/main/components/com_jcalpro/cal_popup.php"] [unique_id "4T8OMU6Bw2QAAGP9K6UAAAAE"]
[Tue Dec 01 05:17:52 2009] [error] [client 66.96.128.60] File does not exist: /home/bembridg/public_html/406.shtml

So it's highly likely they scanned as many sites as possible to find a way in. At this stage it does not appear to be a root-level compromise. We recommend changing all passwords, and examining accounts for outdated software to prevent a re-exploit in the future.