Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Linux servers having CPANEL - js virus hitting

[rushik]

Hi All,


Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).

Solutions tried:
I have checked for the filenames but they do not exist on the server.

1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean


Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}

var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
<<removed encoded exploit>>

document.write (SB);

Thanks,
Regards
Rushik Shah

[Jedito]

Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.

[David]

It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

[rushik]

Hi Jedito / David

Thanks for your quick reply. Actually I already did this check

I changed ftp passwords, but still it got effected after 3-4 days again.

The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files

Any clue

Thanks!
Regards
Rushik Shah

[Jedito]

Quote:

Originally Posted by David

It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago.

to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.

[sash]

Hi,

Which platforms does this trojan infects? Do you know its name?

Thanks,
sash

[BudgetVPS]

Is there a way to stop this from happening on a cpanel server?

[zacharooni]

Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

find / -name *.js | xargs grep unescape

[IPv6]

The code is here: <<snipped>>

[zacharooni]

Also, check xferlog and see who uploaded it.

[nickn]

To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.

[zacharooni]

Don't paste code like that on a public forum.

[IPv6]

Quote:

Originally Posted by zacharooni

Don't paste code like that on a public forum.

It's already in the OP, just URI encoded.

[bear]

Quote:

Originally Posted by Procyon

It's already in the OP, just URI encoded.

Not any more. Let's try not to feed the "kiddies".

[AndyB78]

Hello Rushik,

I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new?

Quote:

Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

find / -name *.js | xargs grep unescape

There is usually NO unescape(), no eval(), no iframe anywhere on the affected accounts. The .js file (this also changes) doesn't even exist anywhere on the server. It's like Trojan-Downloader.JS.Small.fs gets generated on the fly (in our case it tries to download a Exploit.HTML.IESlice.n from <<removed>>

Any clue anyone?

Thanks and regards!