Hello All,

I am not a Linux expert, but not a newbie either. I am recently experiencing an interesting problem that I just wanted to share and get your opinions.

A few days ago one of my server's IP, which I use as a shared web server for a bunch of websites, got blacklisted. The server is a Linux server running CentOS with cPanel control panel.

I have found the note below in the database which was blacklisted my IP.

The interesting thing is, this Zeus thing seems to be working only Windows based machines. So it should not be possible for this to happen on a Linux server in my opinion. The only thing that I can think of is, a proxy script or something that an account might be using which might have been used by an infected Windows computer. However, this is the point where I am lost as I am not sure how I can detect this script on server, and I am even not sure if there is any.

When I check the active connections on the server during a day(via netstat), I can see multiple connections to remote servers over port 80 but I am not sure if I can say that all these connections are caused by the same thing? (I guess they might be Wordpress caching stuff etc., might they?)

I was wondering if this can be tracked through this way or another way? Is my assumption correct? I would really appreciate any comments/opinions on this whether be positive or negative.

Thank you.

Running netstat with the -p option (must be root to do this) will show you what process is associated with each network connection. Have you tried that already?

Yes, tried that.

After that, I have tried the command below, thinking that the lsof can show me the file used by that PID.

However, I only see the root web directory of the cPanel account with lsof. And when I check there, there I see just regular Wordpress files.

That's an understatement: the report says it got listed nearly two weeks ago.
Linux may be free to use but using it is not free of responsibilities.


What I find interesting is the reason your web server is (perceived to be) (ab)used for proxying traffic. AFAIK Zeus (and I haven't read that much really) isn't that "intelligent" to modify a users proxy settings and while I should not speculate about these things there's two generic options: somebody deliberately configured their machine to use yours for proxying purposes or somebody "discovered" yours as an open proxy.

First of let's try to log and mitigate things. Download the ipblocklist from https://zeustracker.abuse.ch/blocklist.php and create an egress filter using 'ipset':
review the list got loaded OK:
then add these logging and blocking rules at their appropriate position ('iptables -t filter --line-numbers -nvxL OUTPUT;' to review) in the filter table OUTPUT chain:
*Note the list is refreshed about ever twenty four hours so you probably want to automate downloading the new list, cleaning stale addresses and loading new ones into list. And please don't mistake this set of blocking rules for a "solution".

Secondly out-of-the-box Apache installations still come with all LSO's enabled including proxying ('grep "^LoadModule.proxy" httpd.conf;') so it would be good to review your configuration for what you allow. That goes for the firewall and other services as well. We don't know the location of the web server (could you be willingly proxying for your own LAN?) or if you're running a proxy service too. And like you said an interpreter-based proxy script or other "fun" could be running. It can be grepped for or better: use RFx' Linux Malware Detect ClamAV rules (just load them on the clamscan command line) on your own and your customers homes and all docroots. While you're at it review the servers system and daemon logs for anomalies (or use Logwatch for generating leads), review your own and your customers homes for anything seemingly odd and while you inspect things don't leave your own local machine(s) out.

Third, yes, you can list (I prefer 'lsof -Pwln -a -i;') processes and network traffic but without ways to correlate it (remote domain names or IP addresses, Zeus agent signatures, process details that mark it suspicious or rogue) I wonder how efficient that will be. (I made a web log post about traffic correlation here but I hope you find the cause without having to resort to that kind of stuff.) Sure you should inspect processes but IMHO you shouldn't focus on remote ports. Besides there's no way telling if traffic will be constant or transient. If your investigation turns up nothing you could install Snort as Emerging Threats, zeustracker and SourceFire include Zeus signatures and sniff traffic but I'd go for quick wins first.

1 members found this post helpful.

Hi unSpawn, that was very helpful! Thank you very much for the idea(s).

I noticed you marked this thread solved without posting how you solved the case. This does not leave any clues for others who might face the same problem in the future and it's a rather unsatisfactory ending for those who love to troubleshoot and diagnose things. So I would appreciate it if you would reciprocate and offer us a quick run-through of that measures you took and of your findings,
TIA.

Hi unSpawn, you are right I should let everyone know with what I did. I was just way too hasty while working on this problem and completely forgot this thread. Sorry about that.

Here's what I did;

I have tried running LMD (Linux Malware Detect). It did found about 8-10 (some were same) and I have cleaned all of them.
I have created an egress filter as advised and monitored the logs for about 2-3 days and have not noticed any outgoing connection to Zeus trackers. (I also created an update script to update blocklist every 24 hours.) I have not been blacklisted by the database so far.
As for your Apache configuration suggestion, this server has a default(almost) cPanel/WHM Apache configuration and I confirmed that the proxy module was not enabled/loaded. I have also my firewall tightly configured, just allows regular incoming/outgoing HTTP, HTTPS, POP(S), IMAP(S), DNS and some cPanel/WHM specific port connections.

I'll keep monitoring this and will update this thread if I notice anything new.

Thanks again!