LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-23-2009, 01:07 PM   #1
Woogieman
LQ Newbie
 
Registered: Oct 2009
Location: Eugene, OR and Klamath, CA
Distribution: CentOS 5.4
Posts: 16

Rep: Reputation: 0
Help! have belaflex.ind.br web page attack


Somehow I got the belaflex.ind.br infection on CentOS 5.3 and I can't figure out how to get rid of it.
I did a string search (grep) on the entire drive and that name didn't show up anywhere.
I googled it and all I got was your computer may be infected.

Anyone know how to get rid of this?
Anyone know how to stop it from happening again?
 
Old 10-23-2009, 01:50 PM   #2
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Are you talking about your browser's home page, or the index.htm page on your web server?
 
Old 10-23-2009, 02:00 PM   #3
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
Quote:
Originally Posted by Woogieman View Post
Somehow I got the belaflex.ind.br infection on CentOS 5.3 and I can't figure out how to get rid of it.
What make you suspect that? How did you check it?

Quote:
I googled it and all I got was your computer may be infected.
I can't make any sense of that sentence. Do you -maybe- mean that you are going to a web site that says that your computer is infected? If that's the case, ignore it. I can put whatever I want on my site and every visitor will see it, which doesn't mean that it's true.

If you are really concerned about infections, install clamav, rkhunter and chkrootkit, and use them to scan your drive(s).
 
Old 10-24-2009, 09:08 AM   #4
Woogieman
LQ Newbie
 
Registered: Oct 2009
Location: Eugene, OR and Klamath, CA
Distribution: CentOS 5.4
Posts: 16

Original Poster
Rep: Reputation: 0
Help! have belaflex.ind.br web page attack

Quote:
Originally Posted by Jim Bengtson View Post
Are you talking about your browser's home page, or the index.htm page on your web server?
Yes I am speaking about the index.php file on my web server. If you watch the status bar you will see it go to belaflex.ind.br and load something.
 
Old 10-24-2009, 09:14 AM   #5
Woogieman
LQ Newbie
 
Registered: Oct 2009
Location: Eugene, OR and Klamath, CA
Distribution: CentOS 5.4
Posts: 16

Original Poster
Rep: Reputation: 0
Help! have belaflex.ind.br web page attack

Quote:
Originally Posted by i92guboj View Post
What make you suspect that? How did you check it?
I watch it load on the status bar when I load my main index.php file from my web server on my web browser.


I can't make any sense of that sentence. Do you -maybe- mean that you are going to a web site that says that your computer is infected? If that's the case, ignore it. I can put whatever I want on my site and every visitor will see it, which doesn't mean that it's true.

I mean I google "belaflex.ind.br" and I quote
'BELAFLEX
- [ Translate this page ]
This site may harm your computer.
www.belaflex.ind.br/ - Similar - '
from the Google
and I watch my status bar on my browser (Firefox man did it slow down)
and watch it access the page 'belaflex.ind.br'

I really appreciate your help!!

If you are really concerned about infections, install clamav, rkhunter and chkrootkit, and use them to scan your drive(s).
Yea I did all of that except for clamav which I understand is only for email and I will deal with that devil later.
 
Old 10-24-2009, 01:28 PM   #6
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Yes I am speaking about the index.php file on my web server. If you watch the status bar you will see it go to belaflex.ind.br and load something.
Can you post the TEXT of that index.php file here so we can examine what it's telling the web server to do?
 
Old 10-25-2009, 03:04 AM   #7
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
Clamav is an antivirus scanner, you can use it for mail or for whatever else. Files are files, mails are not special in any regard.
 
Old 10-25-2009, 08:49 AM   #8
Woogieman
LQ Newbie
 
Registered: Oct 2009
Location: Eugene, OR and Klamath, CA
Distribution: CentOS 5.4
Posts: 16

Original Poster
Rep: Reputation: 0
Help! have belaflex.ind.br web page attack

Quote:
Originally Posted by i92guboj View Post
Clamav is an antivirus scanner, you can use it for mail or for whatever else. Files are files, mails are not special in any regard.
That's good to know. I am sort of a newb with Linux with my background in Windows Servers and I actually had someone tell me that you couldn't infect Linux with a Virus. Imagine that!

I think I found the problem but now have a new security problem.
I have already deleted the code, but someone injected php code at the top of my index.php file.
It was a base64 encoded string which I immediately deleted and saved the new copy and then changed my FTP Password and cleaned up the web site some.
It seems to be OK this morning but I'm afraid the perp will return and do it again. I will have to check my server index.php code daily.

Thanks for your help and hopefully by maintaining my password I will be able to keep them out.
 
Old 10-25-2009, 09:04 AM   #9
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
Quote:
Originally Posted by Woogieman View Post
That's good to know. I am sort of a newb with Linux with my background in Windows Servers and I actually had someone tell me that you couldn't infect Linux with a Virus. Imagine that!
Well, it's certainly not as common as in Windows, but there's nothing stopping someone from making Linux viruses. However most attacks come rather in form of a hacker or a rootkit.

Quote:
I think I found the problem but now have a new security problem.
I have already deleted the code, but someone injected php code at the top of my index.php file.
It was a base64 encoded string which I immediately deleted and saved the new copy and then changed my FTP Password and cleaned up the web site some.
It seems to be OK this morning but I'm afraid the perp will return and do it again. I will have to check my server index.php code daily.

Thanks for your help and hopefully by maintaining my password I will be able to keep them out.
Using a complex password is definitely a good idea. If you use an ftp client or a web based frontend on a non-private machine make sure you erase the history afterwards and never save the password using some silly keyring like the firefox one. Try to use ssh instead if possible, encryption will help to keep your safety intact. The problem could also be php buggy code so an audit for your php code would be a good thing.

If you try clamav you might also be interested in checking one of the available frontend, like klamav or clamtk.
 
Old 10-25-2009, 07:59 PM   #10
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
Yeah, use scp/sftp and set the file immutable http://linux.die.net/man/1/chattr.
 
Old 10-26-2009, 09:32 AM   #11
Woogieman
LQ Newbie
 
Registered: Oct 2009
Location: Eugene, OR and Klamath, CA
Distribution: CentOS 5.4
Posts: 16

Original Poster
Rep: Reputation: 0
Help! have belaflex.ind.br web page attack

Quote:
Originally Posted by chrism01 View Post
Yeah, use scp/sftp and set the file immutable http://linux.die.net/man/1/chattr.
I seem to have slowed it down for now. I will watch my php code and keep a handle on it.

Thanks to everyone you've been a great help.

Thanks chrism01: greatly appreciate any advice. I will check it out.
 
  


Reply

Tags
hack, infected, page, web


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
executing linux commands from web page and outputing it back to the web page ashes_sheldon Programming 8 05-09-2009 07:19 AM
Web query to execute commands and output it to a web page ! ashes_sheldon Linux - Newbie 1 05-08-2009 03:45 AM
web page database access per page or per session? b0uncer Programming 6 01-13-2007 01:09 PM
Cant make web server run my local web page... Nik0s Linux - Newbie 22 10-08-2006 11:30 PM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 09:59 AM


All times are GMT -5. The time now is 01:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration