1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Apache infected with worm/bug

Discussion in 'Plesk for Linux - 8.x and Older' started by Chris-M, Jul 22, 2009.

  1. Chris-M

    Chris-M Guest

    0
     
    I was wondering if someone could suggest how to identify where/what infected our server - all sites started intermittently redirecting to Malware sites which were trying to install viruses. I won't provide the exact URL's, but they were redirecting to URLs on goscanpark.com, neborin.info, and a few others.

    We ran rkhunter and chkrootkit and everything came back clean, and we ran ClamAV and it didn't show up anything relevant.

    The server is running:

    CentOS 5
    Plesk 8.3.0-cos5.build83071218.18
    Apache 2.2.3-11.el5_1.centos.3
    PHP 5.1.6-15.el5

    As a workaround I disabled the exec() function in php.ini and restarted the web server which seems to have done the trick, but still don't know what caused it or if/when it will re-occur.

    Any help is much appreciated, thanks.

    Chris
     
  2. Theodor

    Theodor New Pleskian

    22
    23%
    Joined:
    May 8, 2005
    Messages:
    8
    Likes Received:
    0
    I think there is nothing wrong with your Server.
    This is a Internet Browser (FireFox) problem
    Update your Browser (Firefox to version 3.5.) and the redirecting problems are solved.

    Theo
     
  3. Theodor

    Theodor New Pleskian

    22
    23%
    Joined:
    May 8, 2005
    Messages:
    8
    Likes Received:
    0
    do you have some news?
     
  4. Chris-M

    Chris-M Guest

    0
     
    Hi Theo,

    Thanks for your reply.

    The problem was resolved by restarting the Apache server, so it was clearly a server-side issue. Multiple people from multiple locations, using multiple browsers, were reporting the problem.

    I suspect it was a PHP exploit but I am amazed how the whole server installation was able to be affected. There is no hardcoded evidence that I can find, and this is probably true as the issue was fixed by restarting Apache.

    Does anyone have any suggestions for how to identify where it came from and how to stop it? I have checked all server logs for unusual FTP logins and any obvious PHP files and have not found anything. Also we just locked down PHP by disabling most system/execution functions (which I admit should really already have been done).

    Is there anything else we can do?

    Thanks.
     
  5. ClaudeS

    ClaudeS Guest

    0
     
    I have the same problem. What I do before the warning message occur:

    1. I have install a Microsoft Windows XP Update which includes Internet Explorer 8
    2. I have install Firefox 3.11.
    3. After the updating show I have this problem with goscanpark . com and neborin . info

    Now I have restore an older backup and the problem is solved. I am not sure, but I think there is a big problem in Firefox version 3.11.
     
  6. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    That sounds a lot to me like a malicious apache DSO was loaded to me, and then maybe they deleted it after the fact.

    Check for .htaccess files as well, its possible those are doing mod_rewrite redirects to some other script that is doing this.
     
  7. Piotr Kloc

    Piotr Kloc Guest

    0
     
    Hello !

    This is any windows or firefox issue
    This is problem on server side with apache and mod_php

    Haker has a backdor in some php files then POST some data with malicious apache DSO

    203.117.68.106 - - [24/Jul/2009:12:49:09 +0200] "POST /img/timag.php HTTP/1.1" 200 5970 "http://www.google.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"

    httpd 20575 apache cwd DIR 9,1 4096 12288048 /home/speedrine/domains/speedrine.pl/public_html/img
    httpd 20575 apache rtd DIR 9,1 4096 2 /
    httpd 20575 apache txt REG 9,1 20101 12288146 /home/speedrine/domains/speedrine.pl/public_html/img/httpd (deleted)

    Please block this IP 203.117.68.106 on your firewall
    Another fix for this is block all exec function in php or change php to fcgi .
    Another fix is upgrade apr from apache to newest version from svn .

    Explain more is here http://forum.php.pl/index.php?showtopic=121411&pid=614283&mode=threaded&start=#entry614283
     
  8. Chris-M

    Chris-M Guest

    0
     
    Hi atomicturtle,

    We can't find anything physical on the server which references the URLs that the sites are being redirected to, and I also don't see any manipulation of any .htaccess files. I'm baffled.

    I suspect it may be a PHP script that's been exploited because it's odd that the problem is fixed by restarting Apache. The problem first occurred on Wednesday, we restarted httpd and then it was fine, then it re-occurred today. Again restarting httpd resolved the issue. We've locked down all the 'dangerous' PHP functions in /etc/php.ini:

    Is there anything else you would suggest we can do?

    Thanks.
     
  9. Chris-M

    Chris-M Guest

    0
     
Loading...