Apache infected with worm/bug

[Chris-M]

I was wondering if someone could suggest how to identify where/what infected our server - all sites started intermittently redirecting to Malware sites which were trying to install viruses. I won't provide the exact URL's, but they were redirecting to URLs on goscanpark.com, neborin.info, and a few others.

We ran rkhunter and chkrootkit and everything came back clean, and we ran ClamAV and it didn't show up anything relevant.

The server is running:

CentOS 5
Plesk 8.3.0-cos5.build83071218.18
Apache 2.2.3-11.el5_1.centos.3
PHP 5.1.6-15.el5

As a workaround I disabled the exec() function in php.ini and restarted the web server which seems to have done the trick, but still don't know what caused it or if/when it will re-occur.

Any help is much appreciated, thanks.

Chris

 

[Theodor]

I think there is nothing wrong with your Server.
This is a Internet Browser (FireFox) problem
Update your Browser (Firefox to version 3.5.) and the redirecting problems are solved.

Theo

 

[Theodor]

do you have some news?

 

[Chris-M]

Hi Theo,

Thanks for your reply.

The problem was resolved by restarting the Apache server, so it was clearly a server-side issue. Multiple people from multiple locations, using multiple browsers, were reporting the problem.

I suspect it was a PHP exploit but I am amazed how the whole server installation was able to be affected. There is no hardcoded evidence that I can find, and this is probably true as the issue was fixed by restarting Apache.

Does anyone have any suggestions for how to identify where it came from and how to stop it? I have checked all server logs for unusual FTP logins and any obvious PHP files and have not found anything. Also we just locked down PHP by disabling most system/execution functions (which I admit should really already have been done).

Is there anything else we can do?

Thanks.

 

[ClaudeS]

I have the same problem. What I do before the warning message occur:

1. I have install a Microsoft Windows XP Update which includes Internet Explorer 8
2. I have install Firefox 3.11.
3. After the updating show I have this problem with goscanpark . com and neborin . info

Now I have restore an older backup and the problem is solved. I am not sure, but I think there is a big problem in Firefox version 3.11.

 

[atomicturtle]

That sounds a lot to me like a malicious apache DSO was loaded to me, and then maybe they deleted it after the fact.

Check for .htaccess files as well, its possible those are doing mod_rewrite redirects to some other script that is doing this.

 

[Piotr Kloc]

Hello !

This is any windows or firefox issue
This is problem on server side with apache and mod_php

Haker has a backdor in some php files then POST some data with malicious apache DSO

203.117.68.106 - - [24/Jul/2009:12:49:09 +0200] "POST /img/timag.php HTTP/1.1" 200 5970 "http://www.google.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"

httpd 20575 apache cwd DIR 9,1 4096 12288048 /home/speedrine/domains/speedrine.pl/public_html/img
httpd 20575 apache rtd DIR 9,1 4096 2 /
httpd 20575 apache txt REG 9,1 20101 12288146 /home/speedrine/domains/speedrine.pl/public_html/img/httpd (deleted)

Please block this IP 203.117.68.106 on your firewall
Another fix for this is block all exec function in php or change php to fcgi .
Another fix is upgrade apr from apache to newest version from svn .

Explain more is here http://forum.php.pl/index.php?showtopic=121411&pid=614283&mode=threaded&start=#entry614283

 

[Chris-M]

Hi atomicturtle,

We can't find anything physical on the server which references the URLs that the sites are being redirected to, and I also don't see any manipulation of any .htaccess files. I'm baffled.

I suspect it may be a PHP script that's been exploited because it's odd that the problem is fixed by restarting Apache. The problem first occurred on Wednesday, we restarted httpd and then it was fine, then it re-occurred today. Again restarting httpd resolved the issue. We've locked down all the 'dangerous' PHP functions in /etc/php.ini:

disable_functions = exec,passthru,shell_exec,system,proc_open,parse_ini_file,show_source

Is there anything else you would suggest we can do?

Thanks.

 

[Chris-M]

There seems to be a bit of information about this attack coming up on the web now, eg:

http://blog.unmaskparasites.com/200...s-about-malicious-server-wide-meta-redirects/

The sites we have seen being redirected to were neborin.info / goscanpark.com / scanriteweb.com -- I won't quote the exact URL's.