You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Juan Soprano <to...@hotmail.com> on 2009/09/28 16:34:05 UTC
[users@httpd] Apache - HTTP Reply - Javascript Virus
I currently have a production server setup with a large quantity of domains
being hosted. During the past week, the server has been attacked by a virus
and I have had zero luck tracking it down.
Here are the symptoms:
1) Attacks all domains randomly
2) Occurs on random page loads
3) The virus comes and goes, but has always returned (on the first HTTP
request to any of the domains the reply is the javascript code, on the
second request from the same browser gets the correct HTTP reply from the
website)
4) When a page is requested, regardless of domain and page, the requested
page is not sent but an html page with infected javascript (the page is
designed to redirect the user to some third party site to purchase virus
protection). Below is the html page that is sent.
5) Restarting the HTTPD service fixes the issue temporarily.
My server setup is the following:
Centos 5.3
Apache 2.2.3
PHP 5.1.6
MySQL 5.0.77
I have scanned and rescanned the server and nothing has come up. At this
point my best guess is that someone is able to execute remote code which
intercepts the page requests.
How can I track down what the entry point is? Can anyone offer any advanced
suggestions where to start?
Thanks!!
Best wishes,
Juan
INFECTED HTML PAGE:
<html><head><script type="text/javascript" language="javascript"> var
nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime(
)+014*074*074*01750);
document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64
\x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31
\x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x2 0pat\x68\075\x2f;
\x65xpir\x65s="+nxdxwfc.toGMTString( ); </script>
</head><body></body></html>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache - HTTP Reply - Javascript Virus
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 28.09.09 11:34, Juan Soprano wrote:
> I currently have a production server setup with a large quantity of domains
> being hosted. During the past week, the server has been attacked by a virus
> and I have had zero luck tracking it down.
>
> Here are the symptoms:
> 1) Attacks all domains randomly
> 2) Occurs on random page loads
> 3) The virus comes and goes, but has always returned (on the first HTTP
> request to any of the domains the reply is the javascript code, on the
> second request from the same browser gets the correct HTTP reply from the
> website)
> 4) When a page is requested, regardless of domain and page, the requested
> page is not sent but an html page with infected javascript (the page is
> designed to redirect the user to some third party site to purchase virus
> protection). Below is the html page that is sent.
> 5) Restarting the HTTPD service fixes the issue temporarily.
>
> My server setup is the following:
> Centos 5.3
> Apache 2.2.3
> PHP 5.1.6
> MySQL 5.0.77
>
> I have scanned and rescanned the server and nothing has come up. At this
> point my best guess is that someone is able to execute remote code which
> intercepts the page requests.
>
> How can I track down what the entry point is? Can anyone offer any advanced
> suggestions where to start?
check if your server is not hacked at first.
our customers' webs are also a subject to virus attacks, but the attackers
only modify their files using FTP. Behaviour you describe indicates something
plugged into apache...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org