Our server seems to be compromised because each of our hosted domains are redirecting to some .jp website. Many customers told me their antivirus pops up telling there are infected files on their website.
I can't figure it out how this redirect thing is possible? Logically this could be done from apache or DNS, right?
Also, I get many "Page cannot be found" errors though the directory/file IS there, and if I keep refreshing the page eventually it loads OR I get redirected to the same .jp website.
If you need to ask, and you don't have a someone on staff to resolve this, I'd start going into damage control. Restore, and have a very serious think about the security systems employed on your servers. No script or tutorial will replace the job of a system admin. Computers need babysitters too.
First thing I woudl do is check for spyware on your personal computer. If your customers are having troubles, this is most likely not the problem, but it could be.
If you have been root compromised then it is very possible that the compromise is what is doing this.
A good place to start would be with chkrootkit and rkhunter (do a google on them, if you need more help just post but they're pretty easy tools to run). This will check for the basics of a root kit as well as look for many known root kits.
The next thing you need to do is look at the logs when you request a page to find out what is actually happening. Also examine the virtual host settings in apache and the zone files for bind (for the domains in question) to see if there is a problem there. Look for the possibility of a .htaccess file in the public_html folders that may be doing a redirect as well as look at the source files of the webpage.
Comb through your logs such as /var/log/messages to see if there has been any suspicious activity.
If you are root compromised you are going to most likely have to have a full OS restore fresh, secure it properly, and then load your backups.
If the server is rooted your logs cannot be trusted. chkrootkit et al also don't make sense when run from the compromised system itself. Mount the hard disk from a different system (use your provider "rescue system", if provided). The only way that's really safe is reimaging the server and restoring your data. If there has been no root compromise then the problem's not that bad.
I have found what caused this. Two accounts had these files: flame.so, flame.php, html.php and index.html. I've never created one of the accounts. Not sure how it got there, but I deleted both of them and everything is working now. What do you think guys?
I am not allowed to posts URL's (I don't have 5 posts yet) but this is the quote from that website:
Neat little tool: Flame.so
another script found on a shared server... this one actually had me stumped for about a day or so. it's pretty neat it actually exploits php's ability to load dynamic extensions. Almost every webserver has this featured enabled so it'll probably work...
Basically whenever the flame.php script is invoked.. through a browser access etc. It serves every request recieved by the webserver (regardless of what virtualhost it's coming from or where the script is being accessed) the iframe urls that are in the index.html file.
This was uploaded to a server with over 1000 virtual hosts/users and all the websites were sending the visitors to the urls contained in the index.html... which contained tons of win32 viruses.
What's worse is that this script exploits one of the great legitimate features of PHP. As far as I know the only way to prevent / stop this is disabling the dl() function in your php.ini