Trojan detected on initial load of site
Posted by geekie246, 01-08-2008, 02:10 PM Hi. I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean! I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else. Anyone have any suggestions?
Posted by whmcsguru, 01-08-2008, 02:19 PM What OS, what control panel? Are your apache/php/insertothersoftwareversionshere up to date Is your control panel up to date It's entirely possible that this is a 'false alert', though I have seen an increasing number of 'javascript' injections in the past few months. Go through the index page to these sites, does there appear to be some sort of unknown , encoded javascript?
Posted by geekie246, 01-08-2008, 05:26 PM The host is Running cPANEL 11.16.0 (Stable) and it's running off a Linux OS with 2.6.9-42.EL Kernel. One site runs pure HTML, no other scripts on the site ... and get this error. The Other sites run PHP and this happens to it as well. To my knowledge, all the modules are up-to-date, I've emailed support and they have indicated there "is no problem", but yet, every virus scan program detects problems. Like I said, first or second visit to the site and it pops up. Subsequent visits, no virus detected.
Posted by boonchuan, 01-08-2008, 05:30 PM Maybe you should try to find a security guy to help you harden and secure your system.
Posted by geekie246, 01-08-2008, 10:20 PM it's a reseller account, shouldn't the host be responsible for that? This company is saying "nothing is wrong". LOL! Typical stuff from them.
Posted by ub3r, 01-08-2008, 10:41 PM send us a link to the page that is throwing back the trojan detection errors.
Posted by geekie246, 01-09-2008, 01:20 PM I don't want to post it here, I don't want anyone not running AV software to be infected. I can PM it to you if you like.
Posted by ub3r, 01-09-2008, 02:19 PM If you can't post a link, then we can't help you.
Posted by geekie246, 01-09-2008, 02:51 PM Here's the URLs ... please note, that these may cause an attempt to infect your pc with a trojan ... http://www.affordablehosting.ca/ http://www.newfoundlandbusinesses.ca/ The support company is working to resolve these issues, when I last checked, they were still attempting to run the script. This will usually only happen the first or second time you go to the site, unless you clear your browser cache ... then it will happen again.
Posted by ub3r, 01-09-2008, 04:27 PM your support company are idiots, and you should not give them any more money. Each of those files contain calls to unexistant javascript files: newfoundlandbusiness: affordablehosting.ca: Look at your files, right around the opening tag. If it contains a call to a javascript that doesn't exist, or is 5 characters, remove it. This is probably just getting picked up by your anti-virus because it follows a common pattern from some previous virus propagations. Last edited by ub3r; 01-09-2008 at 04:30 PM.
Posted by geekie246, 01-09-2008, 05:55 PM Thanks, I have seen those things in the source when the AV software goes off, but here's the kicker, these are not part of the source that I have uploaded or that exists there right now at all. The files themselves does NOT contain this! It is getting injected into the source somehow. As the source is 100% clean, I have verified it many times, how does it get inserted into the code when the page loads? It has to come from the server side correct? Last edited by geekie246; 01-09-2008 at 06:01 PM.
Posted by foobic, 01-09-2008, 07:07 PM It seems to be a random 5 letter filename (I saw gkudw.js) and presumably a non-existent file in the OPs account, but when I requested it I got it - looks like a typical malicious script. Have the sites just gone offline? Perhaps the host's starting to take notice at last.
Posted by geekie246, 01-09-2008, 08:00 PM One of the sites has gone offline. I'm hoping the support people are fixing whatever is wrong. It's definitely on the server side of things. I've managed to at least convince them of that.
Posted by geekie246, 01-10-2008, 12:07 PM OK, the host is still indicating that there is no problems on the servers that I'm hosted on. I cannot seem to get it through their thick skulls that there is something wrong with the servers. The servers are obviously compromised. I have no SSH access and don't know what to tell them to look for. Suggestions?
Posted by Ramprage, 01-10-2008, 12:09 PM Could be modifying the Apache memory in real time to load the iframe, could be they manually injected code into the web pages, could be a bunch of different things. They need to hire someone to investigate it. Seen many times before, nothing new.
Posted by k3oni, 01-10-2008, 01:19 PM Just tell your "host" to login to the server and try this: touch /root/1 or whatever directory that contains only numbers , and they will see the issue, they won't be able to create a directory that contains only numbers, if this is the issue i am thinking to. If that is the case this is related to a rootkit i got around in the last weeks more and more frequently.
Posted by bitserve, 01-10-2008, 01:58 PM The suckit rootkit does this. I don't know if that's the one k3oni is referring to. It seems like it could also be just an HTML injection if they have a reverse proxy or something.
Posted by dragon2611, 01-10-2008, 06:39 PM Seems to have managed to hit my server as well, Anyone know how this thing gets installed, getting an osreload done as I broke something as well so no chance of recovering But I don't want to be hit again once the server has been rebuilt.
Posted by k3oni, 01-10-2008, 06:49 PM The only way to get rid of it would be an OS reinstall or a custom patched kernel, but if you were already hit with this patching the kernel may result in a few library errors and so, so at the end best way is to reinstall OS on the server and from the start install a patched kernel. Seems that it is running in the kernel some how(did not managed to find by now how exactly it is working) and the "viruses" are inserted "on-the-fly" in the pages so you will not find any virus on the server. Files under the accounts should be ok and could be restored. This is not only a Cpanel related issue as it was seen also on Plesk servers. Kernel part, seems that the old 2.4 static kernel are ok and no sign of this issue. Still looking to see exactly how it works, but by now was only able to find out how to prevent it, which is for the start enough.
Posted by dragon2611, 01-10-2008, 06:57 PM Any info on that, Going to get the server kernel uppdated/hardened once its been reloaded but I'd still like to know any information that can help us ensure we don't get hit a 2nd time.
Posted by k3oni, 01-10-2008, 07:21 PM Patch the kernel to prevent writing to /dev/kmem , you could use a version of grsec even if it is not really supported anymore.
Posted by foobic, 01-10-2008, 07:24 PM Still doing it now I see... Find a new host with competent tech support. You may have to pay a bit more than you're paying now for a reseller account though. Last edited by foobic; 01-10-2008 at 07:25 PM. Reason: removed specifics!
Posted by geekie246, 01-10-2008, 11:26 PM I have started the search for a new host. I have little (well no) confidence in the current support or hosting company as this has been ongoing for some time and the answers that I have gotten is "Everything is fine". And yes, it is still doing it. Very sad.
Posted by mathew_p_a, 01-11-2008, 12:12 PM Does a grsec patch or kernel upgrade fix the issue?. I also had a client site face this exact trouble.
Posted by Ramprage, 01-11-2008, 12:18 PM grsec might help, can anyone confirm? Some details about suckit http://www.la-samhna.de/library/rootkits/list.html
Posted by geekie246, 01-11-2008, 05:38 PM Host still has not resolved this, I've contacted a new provider, migrating clients over the weekend!!!
Posted by bitserve, 01-11-2008, 06:49 PM It is my understanding that the grsecurity patches can help prevent someone from exploiting vulnerabilities in subsystems to get root access. The grsecurity patches are worthless once someone gets root access, as the root user can pretty much install his or her own kernel. It depends on how the crinimal first gained root access on whether the grsecurity patch would have helped.
Posted by geekie246, 01-12-2008, 04:51 PM The host has indicated they are reloading the server ... I guess they have finally realized that there is a problem.
Posted by dragon2611, 01-12-2008, 05:25 PM The Monolithic Grsec security Kernel I tried to build ended up blocking all TCP traffic, seems it doesn't like APF Theres a thread about it somewhere.
Posted by k3oni, 01-12-2008, 05:54 PM See that APF has under conf.apf this setting: MONOKERN="0" . Modify that and set it to 1 see if you have same issue with the new patched kernel. I hope this does the job for you.
Posted by dragon2611, 01-12-2008, 05:55 PM it is on 1 since the stock centos5.x kernel is montolithic as well
Posted by k3oni, 01-12-2008, 05:57 PM Ok, in that case i suppose you already disabled APF and with it disabled everything works. Try and use a few iptables only rules, not loaded by APF see if that works.
Posted by dragon2611, 01-12-2008, 06:33 PM No actually since I had to get the datacenter to reboot the thing back into the previous kernel I didn't want to play with that kernel to much since I didn't then they'd appreciate me asking them for a reboot every couple minutes
Posted by Scott.Mc, 01-12-2008, 06:43 PM This thread: http://www.webhostingtalk.com/showthread.php?t=651748 pretty much explains the same thing (it is the same thing based on the js that was coming from the OP's page). Just to note it's not suckit or adore-ng as many people seem to want to claim, those are pretty much the 2 most well known which is why everyone rants about them. However they are old but most people that I have encountered have almost always been told that it's adore-ng or suckit simply because their "admins" google for rootkits. Adore-ng was actually pretty easy to detect you could pick it out just by reading the strings on the memory.
Posted by geekie246, 01-14-2008, 12:19 AM host has indicated they have "patched" the kernel, but the sites are still doing the same thing. migration is almost fully complete now to a new host. they don't seem to be taking this too seriously!
Posted by dragon2611, 01-14-2008, 09:53 PM Try again and if you don't get anywhere Then I highly suggest you report them to their datacenter and see if you can get anywhere with that. I must admit I wasn't the fastest in dealing with it infact i'm pretty ashamed of my response time when dealing with this, I was unfortunately away form home (and I'd managed to break my laptop )when our server got exploited so was browsing one of my forums on a public computer (along with other sites) so when the anti-virus popped up a warning about a js.bloodhound virus I at first assumed it came from somewhere else. None of our other users (we rent a server to host our sites and a few friends sites) had reported anything to me so I at first just assumed it had come from somewhere else until my friend reported an activex attempting to load but of course on checking the sites code looked clean and it Didn't appear again (which I now know why) It wasn't until we decided to check Cpanel's forums and here that we relised exactly what we'd been hit with. Anyway back to my point if the host doesn't want to acknowledge the problem see if you can get an abuse case raised with the datacenter, that should give them the kick up the backside they need. Admittedly while I'd much prefer someone try to make contact we me in the first instance I'd like to think i'd be somewhat understanding If i was to find my server unplugged and the reason given by the datacenter was because it was found to be serving up Malware because at the end of the day while downtime isn't good I'd much rather have a few sites offline than be responsible for infecting visitors with something nasty
Posted by papi, 01-15-2008, 12:01 AM A monolithic kernel is one where all the modules are compiled into the kernel and the LKM is disabled - from what I understand anyway. There is no way that a distro such as Centos uses a monolithic kernel as that would mean the kernel would be HUGE as all the required modules for all the possible hardware would have to be compiled into the kernel. From personal experience, centos kernels are approx. 10mb in size (so no chance all the possible modules are compiled in) and LKM is enabled. Anyway, it's besides the point really - according to reports this does not appear to be a kernel root hole anyway (as affected machines had kernels all the way from 2.4 to the latest 2.6 ones). Also, you may want to keep discussing this issue in this thread as it's one and the same thing: http://www.webhostingtalk.com/showthread.php?t=651748