You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2009/10/08 13:48:05 UTC
Re: [users@httpd] Apache - HTTP Reply - Javascript Virus
On 28.09.09 11:34, Juan Soprano wrote:
> I currently have a production server setup with a large quantity of domains
> being hosted. During the past week, the server has been attacked by a virus
> and I have had zero luck tracking it down.
>
> Here are the symptoms:
> 1) Attacks all domains randomly
> 2) Occurs on random page loads
> 3) The virus comes and goes, but has always returned (on the first HTTP
> request to any of the domains the reply is the javascript code, on the
> second request from the same browser gets the correct HTTP reply from the
> website)
> 4) When a page is requested, regardless of domain and page, the requested
> page is not sent but an html page with infected javascript (the page is
> designed to redirect the user to some third party site to purchase virus
> protection). Below is the html page that is sent.
> 5) Restarting the HTTPD service fixes the issue temporarily.
>
> My server setup is the following:
> Centos 5.3
> Apache 2.2.3
> PHP 5.1.6
> MySQL 5.0.77
>
> I have scanned and rescanned the server and nothing has come up. At this
> point my best guess is that someone is able to execute remote code which
> intercepts the page requests.
>
> How can I track down what the entry point is? Can anyone offer any advanced
> suggestions where to start?
check if your server is not hacked at first.
our customers' webs are also a subject to virus attacks, but the attackers
only modify their files using FTP. Behaviour you describe indicates something
plugged into apache...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org