Page 1 of 6 1234 ... LastLast
Results 1 to 25 of 149
  1. #1
    Join Date
    May 2004
    Location
    chicago
    Posts
    173

    Exclamation Linux servers having CPANEL - js virus hitting

    Hi All,


    Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

    <script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

    The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

    I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).

    Solutions tried:
    I have checked for the filenames but they do not exist on the server.

    1) Have run chkrootkit and rootkit hunter - All clean
    2) Have run clamav - All clean


    Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

    Javascript code:
    var arg="akmukvfd";
    var MU = "http://" + window.location.hostname + "/" + arg;
    var MH = '';
    for (i=0; i < MU.length; i++)
    {
    var b = MU.charCodeAt (i);
    MH = MH + b.toString (16);
    }
    MH = MH.toUpperCase();
    if (Math.round(MU.length/2) != (MU.length/2))
    {
    MH += '00';
    }

    var MR = '';
    for (i=0; i < MH.length; i += 4)
    {
    MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
    }

    var MU2 = "\"" + MU + "\"";
    var MR2 = "\"" + MR + "\"";

    var SB =
    <<removed encoded exploit>>

    document.write (SB);

    Thanks,
    Regards
    Rushik Shah
    Last edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  2. #2
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,650
    Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  3. #3
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,928
    It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

  4. #4
    Join Date
    May 2004
    Location
    chicago
    Posts
    173
    Hi Jedito / David

    Thanks for your quick reply. Actually I already did this check

    I changed ftp passwords, but still it got effected after 3-4 days again.

    The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files

    Any clue

    Thanks!
    Regards
    Rushik Shah
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  5. #5
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,650
    Quote Originally Posted by David View Post
    It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

    There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago.

    to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  6. #6
    Join Date
    Jul 2005
    Location
    Belgium
    Posts
    506
    Hi,

    Which platforms does this trojan infects? Do you know its name?

    Thanks,
    sash
    kept alive by vertaalbureau

  7. #7
    Join Date
    Nov 2007
    Posts
    51
    Is there a way to stop this from happening on a cpanel server?

  8. #8
    Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

    find / -name *.js | xargs grep unescape

  9. #9
    Join Date
    Feb 2006
    Posts
    1,108
    The code is here: <<snipped>>
    Last edited by anon-e-mouse; 11-25-2007 at 09:04 PM.
    semi-retired

  10. #10
    Also, check xferlog and see who uploaded it.

  11. #11
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.
    Nick Nelson
    Sr. Director & GM, VAS
    Demand Media
    425.298.2282 nn@demandmedia.com

  12. #12
    Don't paste code like that on a public forum.

  13. #13
    Join Date
    Feb 2006
    Posts
    1,108
    Quote Originally Posted by zacharooni View Post
    Don't paste code like that on a public forum.
    It's already in the OP, just URI encoded.
    semi-retired

  14. #14
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,246
    Quote Originally Posted by Procyon View Post
    It's already in the OP, just URI encoded.
    Not any more. Let's try not to feed the "kiddies".
    Having problems, or maybe questions about WHT? Head over to the help desk!

  15. #15
    Join Date
    Sep 2003
    Location
    Europe
    Posts
    318
    Hello Rushik,

    I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new?

    Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

    find / -name *.js | xargs grep unescape
    There is usually NO unescape(), no eval(), no iframe anywhere on the affected accounts. The .js file (this also changes) doesn't even exist anywhere on the server. It's like Trojan-Downloader.JS.Small.fs gets generated on the fly (in our case it tries to download a Exploit.HTML.IESlice.n from <<removed>>

    Any clue anyone?

    Thanks and regards!
    Last edited by bear; 11-28-2007 at 07:27 AM.

  16. #16
    Join Date
    May 2004
    Location
    chicago
    Posts
    173
    Hi Andy,

    I am still trying to find out what would be best way to get it out. As i tried to consult many data centers companies, but the only solution they think of is OS reload.

    Let me know if you find anything.

    Any help from anybody would be greatly appreciated.

    Thanks!
    Regards
    Rushik
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  17. #17
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    You need to scan all your user accounts for malicious files, not just .js now. An OS reload isn't needed in this case unless you've been rooted which is uncommon in this type of attack.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  18. #18
    Join Date
    Sep 2003
    Location
    Europe
    Posts
    318
    Hello Ramprage,

    This has absolutely nothing to do with the site itself. One simple test confirms it. Create a new account in WHM, upload a HTML file that is not even HTML (just plain text), change your IP and when you try to visit the "page", it already contains a 5 random character name .js inclusion that can be seen only in browser by viewing the source but not on the server. It gets added somehow on the fly...

    Regards!

  19. #19
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,544
    Quote Originally Posted by AndyB78 View Post
    Hello Ramprage,

    This has absolutely nothing to do with the site itself. One simple test confirms it. Create a new account in WHM, upload a HTML file that is not even HTML (just plain text), change your IP and when you try to visit the "page", it already contains a 5 random character name .js inclusion that can be seen only in browser by viewing the source but not on the server. It gets added somehow on the fly...

    Regards!
    I know what exploit this is, it injects at the kernel level. You can find it by writing a module for the kernel that lists all loaded modules (it will be hidden from /proc/modules), you also verify it's the same thing by trying to create a file/directory that starts with a number you should get something to the effect of "No such file/directory" (this is part of the rootkit) - otherwise you can go for the quick fix and that is to get a working grsec version that protects writing to /dev/kmem, but good luck compiling because of the number at the start of the file/directories. There are quite a few variants of this some even stop /boot/map from being written so you'll struggle to even get a new kernel without a rescue cd.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  20. #20
    Join Date
    May 2004
    Location
    chicago
    Posts
    173
    Hi All,

    I wanted to see if anybody got some more insight on the same to resolve the issue.

    Thanks!
    Regards
    Rushik
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  21. #21
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    You don't have

    enable_dl = 1 or yes do you in your php.ini?

    If you do, disable it!

    The old php hack loading a nasty library can do this, search flame.so (google,wht etc)

  22. #22
    Join Date
    Feb 2003
    Location
    Portland, OR
    Posts
    81
    dotable steve - thank you for the info on flame.so, google turned up a great page about it.

    However, although one of my machines has all of the symptoms, I'm not able to find a flame.so or flame.anything on my server. Do you know of another file name the attackers may be using now?

  23. #23
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    First off, Just disable enable_dl in your php.ini and restart apache.

    Does that solve the problem? Is the injection now solved?

    After,
    Try locate *.so or find, anything in /home with .so (but could be called anything) is due a closer inspection..

    Also turning on error logging for php after disabling enable_dl might turn up where the scripts are if they exist, as you'll see attempts to load a dl in the error_log

    error_log = /var/log/php_error_log

    As an example
    Last edited by StevenG; 01-05-2008 at 12:56 AM.

  24. #24
    Join Date
    Feb 2003
    Location
    Portland, OR
    Posts
    81
    Quote Originally Posted by Dotable Steve View Post
    First off, Just disable enable_dl in your php.ini and restart apache.

    Does that solve the problem? Is the injection now solved?

    After,
    Try locate *.so or find, anything in /home with .so (but could be called anything) is due a closer inspection..
    Yes, I did disable the dl function, and I believe the injection has stopped... now to find the culprit is all. Thanks again.

  25. #25
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,544
    The post I made above does actually explain pretty much the most common symptoms (it's not flame.so for the thread starter) more specfically you'll notice it by monitoring your packet logs for 5 letter javascript files being outputted in html, these are random 5 digits each time a page loads and are only showed once per IP. Which is done by the exploit hooking into apache by writing to /dev/kmem.

    The simplest fix is to just go for a grsec kernel that protects /dev/kmem but you'll likely need to boot into a rescue cd and compile that way because from what i've seen so far it will either invoke a panic when you are compiling or like I said above it prevents directories with numbers from being created.

    Not seen flame.so in awhile myself personally but k2host you would need to explain symptoms simply because theres so many varients and so many different things it could be.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

Page 1 of 6 1234 ... LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •