Virus in a server? Malware running randomly in all server sites.
 

Hello I have one CentOs machine with Plesk 8.6 (preinstalled from the planet).

The sites on that server, are randomly (and frecuently) serving a page redirect, that points to a malware site.

http://antispywaretotalscan9.com/sca...LjI4Ng0MaA%3DN

that claims to be a antivirus software but, really is a troyan virus.

The number from: ...totalscanX.com/... changes from 0 to 9, even if you try some times the site is down (it seems that it changes ips and using free ip proxies and free dns servers). When opened the site, It get very persistent on making the user, no other choice to click in the downlad and install button (normal users don't realize that is a WEBSITE and the messages are Browser Alerts), and the way to avoid it, is just hitting the back button.

Ok this is how it is working:

1) runs randomly, in randomly sites, pages and scripts. IE: I was editing with vi a file with <?php phpinfo(); ?> and when I tested the page got the malware redirection).
2) the script DOES NOT MODIFY or affect the file requested so Im worring about the file is been running server wide.
3) the malware page goes up and down also randomly.
4) I was detected the first time a suspicious Tomcat process, and the virus was displayed very often, once I shout down tomcat the propagation slowed down nearly to nothing (but stils).
5) is not a local machine virus (windows), I checked the pages from many machines, in many networks and always get it after a while.

What I have done to test?...

First I think my FTP account was compromised, so I changed my passwords. Verify the integrity of all my files and find nothing...
After a while I start getting again the malware redirctions on my site, so I start monitoring all server FTP access logs, to see if the malware, connects, uploads, and after some time, it deletes it self. But after that, I find 0 ftp access and getting the malware, from the same phpinfo file.

I also try PHP/apache configuration files, to see if there are suspicius files that append in each serverd, page but got nothing.

I checked all server Processes and find nothing suspicious

A friend told me maybe the kernel was corrupted? but how to find if it was modified?

Any ideas what more to do?

Two options
 

In my opinion, you only have two options:

1. completely wipe the machine and do a new install, with new passwords, everything.

2. Employ an expensive security expert to audit the machine and, if possible, fix it.

A security expert will probably find the source of the problem and then insist that you do a reinstall anyway, so you might as well skip that and do it yourself.

(if you are calling a file containing phpinfo() and getting a redirect to another site, it indicates either a .htaccess redirect or url rewrite or a modified apache installation).

good luck.

Not too likely, but it's possible you have been rooted. It can be impossible to detect. But there are some good tools to try detection. See here and here

Most of those tools should be run from a LiveCD so the rootkit isn't active.

Also, on possible infection vectors, are you running a CMS that could have a vulnerability? I've seen php apps that you could drive a truck through.

Yes the posibility of reinstallation is taken care.. but it will be as the last resource...

Ok I run the the khunter and besides some warnings (that seems to warn every one that has runned it from a centos/plesk server, as seen in a google search) there's nothing suspect.

this is what I get...
[21:14:49] /usr/bin/GET [ Warning ]
[21:14:49] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[21:14:49] /usr/bin/groups [ Warning ]
[21:14:49] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[21:14:50] /usr/bin/ldd [ Warning ]
[21:14:50] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[21:14:55] /usr/bin/whatis [ Warning ]
[21:14:56] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[21:14:57] /sbin/ifdown [ Warning ]
[21:14:57] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[21:14:57] /sbin/ifup [ Warning ]
[21:14:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[21:16:07] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtp' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtp_psa_alt' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[21:16:08] Checking '/etc/xinetd.d/smtp_telcel' for enabled services [ Warning ]
[21:16:08] Checking '/etc/xinetd.d/submission_psa' for enabled services [ Warning ]
[21:16:08] Checking for enabled xinetd services [ Warning ]
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa_alt
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_telcel
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/submission_psa
[21:16:37] Checking if SSH root access is allowed [ Warning ]
[21:16:37] Warning: The SSH and rkhunter configuration options should be the same:
[21:16:38] Checking for hidden files and directories [ Warning ]
[21:16:38] Warning: Hidden directory found: /dev/.udev
[21:16:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression



About the CMS, or PHP backdoor.. Yes it occurs to me that maybe an Apache/php file is been the cause, how ever I dont know any way to know which file is been runned by apache. When searching for apache processes all I get is that is running from the path /usr/bin/httpd

Any ideas?

Bad advice. If you do that without knowing the cause and hardening against it you're bound to introduce it again.


Not necessary unless you know your stuff. Ninetynine percent of the time it'll be vulns that are well known and have been around for some time.

As I've said before PHP stands for Pretty Horrific Programming and all software the user runs should be regarded as suspect. Quick wins are 0) comparing exact versions of PHP and PHP-based applications with the CVE (or distribution or vendor-issued security bulletins) and 1) grepping webserver access and error logs for "odd" GET/POST requests, errors, tool output (think wget).

See the second option. :)

It's the only correct way to treat a possibly rooted machine. If you have the skills to find the source of the infection, then good. If you have the money to pay someone, good.

Otherwise, just reinstall the system, setup new accounts with fresh passwords and check all user space scripts and programs for attack vectors.

As unSpawn said, that approach is quite likely to leave you (and your clients) just as vulnerable as before. IMHO, it's extremely irresponsible to put a restored/re-installed system back online without having addressed the vulnerability which was exploited. One doesn't need to be a forensic expert either. Some basic investigative techniques (such as those mentioned by unSpawn) can shed a significant amount of light on what went wrong and why. Once you have a decent theory which is supported by solid evidence, you'll know what needs to be done differently on the new install.

By 'system' I meant the operating system, not the, probably corrupted, data files. Maybe I didn't make that clear.

Well the problem got solved, for the moment.

Here what happened...

Basically the server was been attacked by some kind of variation of Goscanpark malware or Beladen Attack. I trully dont find ANY reference to a virus like the one I got.

Any way that variations attack a server vulnerability in the default PHP.ini confiruations (as I said the server is leased at ThePlanet so I got it as is (default factory settings).

After a while I mannaged to stop the attack.

Basically the attacker got hack some FTP password accounts (weak passwords I think) in the server and then populates his "malware" in the .JS .PHP Java and .CGI (yes that surpriced me too.. Java? PERL?). the compromised scripts are called from the outside, using POST method so there's no a visible suspicious log access in the logs.

Once the script is running it make all posible scans to search any backdoor opened, if it can execute other scripts, if has ftp access, if has system access, search for Writable directories, etc..., and send back a report, to make the attacker more easy to attack next run.

Basically the script get's by POST the next script it will execute, so is not possible to track what really is been happened, can be a batch of 1000 spam emails, a URL redirection, a fake web page or a Google Addworks supplatation, ANYTHING can happen.

Any way they get runned randomly, and many times but from many diferent IP's. Is very difficult to track this, because many customers had PHP based Open source apps, running and no one can handle the job of TRACK every PHP file served.

The worst part is, that the script attacks server wide, so once the script got runned, it hijack Apache requests SERVER WIDE, and return malicious content on any served page, to the web browsers instead of real web pages, this mean that the attacker script is running in SITE1.COM and reflecting the attacks on ANY site of the server (so if you got a 200+ sites server...)

What did I done?
Install Breakinguard, and made the try for a fail password of 5, to block the IP (just to locate the compromised FTP accounts, but using this method I got just one, of the 3 I located, there could be more), then I changed all server FTP passwords, restrict even more FTP user rigths, remove the use of PHP "execution" functions.

After restricting the PHP the attack stops, and let me track back what happened.

After that, started the complainings of customers that his bugy Open Source Software, stop working, but that is an other history.

I post some resources to know more about this exploits:

The article that show me the light at the end of the tunnel
http://blog.unmaskparasites.com/2009...erver-exploit/

In fact the hole blog is a GOLDEN MINE of knowledge:
http://blog.unmaskparasites.com/

An their Online detection tool is a must:
http://www.unmaskparasites.com/

Other references:
Linux Apache Attack
http://www.uptime.cz/100452-site-a-i...he-Attack.html

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)
http://blog.unmaskparasites.com/2009...erver-exploit/

Glad you got it sorted.

And thanks for posting the info, that will help many.

Thanks for the links. Just to be clear the discussions do not point to a direct route into a GNU/Linux server by way of exploiting a weakness but to exploiting vulns in (I'd guess mostly mcrsft) clients used for content upload or editing.