virus across all domains, changing content of requested page

[RellerB]

I currently have a production server setup with a large quantity of domains being hosted. During the past week, the server has been attacked by a virus and a team of administrators have had zero luck tracking it down.

Here are the symptoms:
1) Attacks all domains randomly
2) Occurs on random page loads
3) The virus comes and goes, but has always returned
4) When a page is requested, regardless of domain and page, the requested page is not sent but an html page with infected javascript (the page is designed to redirect the user to some third party site to purchase virus protection). Below is the html page that is sent.

We have scanned and rescanned the server and nothing has come up. At this point my best guess is that someone is able to execute remote code which intercepts the page requests.

How can I track down what the entry point is? Can anyone offer any advanced suggestions where to start?

Thanks!!

Best wishes,

Reller

INFECTED HTML PAGE:
<html><head><script type="text/javascript" language="javascript"> var
nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime(
)+014*074*074*01750);
document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64\x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31\x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x20pat\x68\075\x2f;
\x65xpir\x65s="+nxdxwfc.toGMTString( ); </script>
</head><body></body></html>

 

[dragnovich]

I got the same Problem

I got the same problem and too I cant find the real problem, it seems that is a process that is running server wide and not in the sites. I changed FTP passwords and the problem does not change.

Any ideas!

PD: I noticed a extrange JAVA usage in the server tomcat, but I dont have any JAVA apps runing, so I turn off the toncat service, so the problem got fixed temporally, but It seems to be constantly returning even if JAVA is disabled. So maybe is not the way is propagating.

 

[dragnovich]

I got the same problem. I have to restart apache services twice daily to eliminate the problem.

 

[JuanS]

Same thing happens to me, this is my server setup:

Centos 5.3
Apache 2.2.3
PHP 5.1.6
MySQL 5.0.77

Don't know if its an Apache bug or a PHP one, trying to figure it out, right now I'm downloading the entire websites I have online and will run anti virus software on all of them to see if one might have malicious PHP code into it, did you do this already?

Best regards!

Update: I ran the anti virus on all of the websites I have hosted and none of them where infected. Also, I deactivated the proxy modules from Apache to see if that has something to do with it.

 

[RellerB]

I luckily have been able to rid my server of the virus. You can find information about the attack and the solution at:
http://blog.unmaskparasites.com/200...s-about-malicious-server-wide-meta-redirects/

 

[JuanS]

Great information RellerB!!! thanks!! I found two PHP files infected in two of the domains hosted on the server!! thanks again!!!

 

[dragnovich]

how did you find those scripts??

I cant fin anything!!

 

[JuanS]

use this command in your servers terminal:

find / -type f -print0 | xargs -0 grep "<http://xoops.instant-zero.com/>"

This command will search inside the entire server and look for files with the "<http://xoops.instant-zero.com/>" string in it, that is the one that has the virus.

After finding them delete those files and also in the directories you find them look for the html files infected with JAVAscript virus code in them.

 

[atomicturtle]

We've added rules into clamav to detect this kind of thing as well.

Any time you get a server-wide attack like this across multiple independent accounts its indicative of a total compromise, and generally means you need to re-image the system from trusted media once you've identified the vector used to compromised the system.