Hacked again & again Website keeps getting infected files added HELP!

Falco33

@n1kko The phishing page will be removed within 48 hours. I've contacted the host, and they will take care of this.

akz

Guy who hacked before most likely back doored your site as well. Better to start fresh from db backup.

n1kko

Ok found this in my public_html directory http://pastebin.com/fNtDdYgD was all eval code but decoded it please take a look. I have no clue what this has been doing.

Mun

From my brief read it makes a shell for the attacker to exploit your system as they see fit. This may be wrong. I just took a quick look at the code.

Mun

Nm it's a whole tool kit

BuyAds

1500 lines to make trouble to someone. This is so lame.

raindog308

mustafaramadhan said: Using CPanel for private is not good decision. Use free/opensource CP.

Ha! And a Kloxo link in your sig...

BTW, cPanel is opensource, though not free in either sense.

mustafaramadhan

@raindog308 said:

CPanel is open-source?.

jar

@mustafaramadhan said:
CPanel is open-source?.

I've never seen an encoded script in it. Not open in the traditional sense but you can read the code all you want

Nomad

Do you happen to have any Warez themes/scripts/plugins in your system? I've seen them causing such results...

HyperSpeed

@Mun said:
From my brief read it makes a shell for the attacker to exploit your system as they see fit. This may be wrong. I just took a quick look at the code.

Opened the Pastebin and Avast didn't likey...

mustafaramadhan

@Jar said:
I've never seen an encoded script in it. Not open in the traditional sense but you can read the code all you want

Maybe not all to encoded but 'crucial' code possible encoded.

jcaleb

I have the same problem last December

century1stop

mustafaramadhan said: Maybe not all to encoded but 'crucial' code possible encoded.

Kloxo-MR not the same?

mustafaramadhan

@century1stop said:
Kloxo-MR not the same?

No encoded for all KLoxo-MR code.

century1stop

@n1kko You'll definitely need to remove all files immediately. If your WHM can be secured accordingly, (WHM -> System health -> Background process killer -> select all) it should remove all these automagically, then make sure necessary ports are dropped or rejected.

mustafaramadhan said: No encoded for all KLoxo-MR code.

If I remember correctly, Kloxo-MR is a modified version of Kloxo with quite a huge chunk of code from it. Kloxo has certain sections encoded.

mustafaramadhan

No encoded (encode with ioncube) in Kloxo since version 6.1.0 where Kloxo-MR based on 6.1.12.

century1stop

mustafaramadhan said: No encoded

Haven't checked the latest

n1kko

Well i think I'm all sorted now. I got in touch with licence pal where i purchased my cPanel licence. They have been a great help and installed rfxn and clamav then scanned all sites for me. The only things thay showed up were some files to do with nginx but guessing that's normal. All passwords changed so eill see hoe things go.

Licencepal also checked my cPanel for any issues big thanks to them

raindog308

mustafaramadhan said: Maybe not all to encoded but 'crucial' code possible encoded.

I haven't looked file-by-file but I don't think any of cPanel is encoded.

More importantly, it has a much better security record than swiss cheese Kloxo. Some well-known VPS providers even specifically forbid Kloxo in their AUP.

mustafaramadhan

@raindog308,

Yes for Kloxo but mostly no for Kloxo-MR.

century1stop

@n1kko said:
Well i think I'm all sorted now. I got in touch with licence pal where i purchased my cPanel licence. They have been a great help and installed rfxn and clamav then scanned all sites for me. The only things thay showed up were some files to do with nginx but guessing that's normal. All passwords changed so eill see hoe things go.

Licencepal also checked my cPanel for any issues big thanks to them

Why licensepal and not your host?

n1kko

I wanted to check my WHM/cPanel had not been compromised. If you purchase a cPanel licence from Lincencepal you have to go to them and not cPanel. They offered to scan and check everything for me which was very good of them.

century1stop

I see, anyway good to know you got things sorted out

these hackers are real pests

n1kko

I have just scanned with maldet and this is a bit of the report

{HEX}php.shell.black-id.570 : /tmp/nginx_client/0018217882
{HEX}php.exe.globals.399 : /tmp/nginx_client/0030415610
{HEX}php.shell.black-id.570 : /tmp/nginx_client/0018217915
{HEX}php.exe.globals.399 : /tmp/nginx_client/0030415617
{HEX}php.exe.globals.396 : /tmp/nginx_client/0030410865
{HEX}php.exe.globals.399 : /tmp/nginx_client/0030415615
{HEX}php.exe.globals.399 : /tmp/nginx_client/0030415626
{HEX}php.exe.globals.399 : /tmp/nginx_client/0030415614
{HEX}php.exe.globals.396 : /tmp/nginx_client/0063650265
{HEX}php.exe.globals.396 : /tmp/nginx_client/0030411116
{HEX}php.exe.globals.396 : /tmp/nginx_client/0063658313
{HEX}php.exe.globals.396 : /tmp/nginx_client/0063650312
{HEX}php.exe.globals.396 : /tmp/nginx_client/0063650314
{HEX}gzbase64.inject.unclassed.15 : /tmp/eaccelerator/540/e/5/eaccelerator-e54a$
{HEX}gzbase64.inject.unclassed.15 : /tmp/eaccelerator/540/e/7/eaccelerator-e751$
{HEX}gzbase64.inject.unclassed.15 : /tmp/eaccelerator/540/8/e/eaccelerator-8e36$
{HEX}gzbase64.inject.unclassed.15 : /tmp/eaccelerator/540/f/8/eaccelerator-f817$
{HEX}gzbase64.inject.unclassed.15 : /tmp/eaccelerator/540/f/4/eaccelerator-f4a3$

Mun

There should be nothing in tmp. Make a backup of your data and delete and rebuild your server. It is compromised.

n1kko

my /tmp directory has a few sess_ files and a few folders like this cpanel.TMP.work.HSctjfVKZb7F_7Um

n1kko

I have found this http://forums.cpanel.net/f185/hackcheck-possible-root-compromise-detected-222681.html will give this a try and rebuild tmp

century1stop

n1kko said: cpanel.TMP.work.HSctjfVKZb7F_7Um

not quite sure but does cpanel have such a file format?

n1kko

I have never seen these sort of files on cPanel