Linux servers having CPANEL - js virus hitting - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Linux servers having CPANEL - js virus hitting

Linux servers having CPANEL - js virus hitting

Posted by rushik, 11-25-2007, 02:37 PM
Hi All, Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the tag. The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source. I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below). Solutions tried: I have checked for the filenames but they do not exist on the server. 1) Have run chkrootkit and rootkit hunter - All clean 2) Have run clamav - All clean Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem. Javascript code: var arg="akmukvfd"; var MU = "http://" + window.location.hostname + "/" + arg; var MH = ''; for (i=0; i < MU.length; i++) { var b = MU.charCodeAt (i); MH = MH + b.toString (16); } MH = MH.toUpperCase(); if (Math.round(MU.length/2) != (MU.length/2)) { MH += '00'; } var MR = ''; for (i=0; i < MH.length; i += 4) { MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2); } var MU2 = "\"" + MU + "\""; var MR2 = "\"" + MR + "\""; var SB = <> document.write (SB); Thanks, Regards Rushik Shah Last edited by bear; 11-25-2007 at 09:59 PM. Reason: Pointless to help spread this
Posted by Jedito, 11-25-2007, 02:49 PM
Anybody have the FTP information of all the accounts having this problem? it may be possible that a compromised computer were infecting those sites without even knew it.
Posted by David, 11-25-2007, 02:51 PM
It's more than likely it was just a deface of the specific account. Doubtful that it's an end-user's system being exploited and then FTPing up the data, far too much effort
Posted by rushik, 11-25-2007, 03:02 PM
Hi Jedito / David Thanks for your quick reply. Actually I already did this check I changed ftp passwords, but still it got effected after 3-4 days again. The matter of fact is almost all websites on the server are affected. Mostly the index . html, php files Any clue Thanks! Regards Rushik Shah
Posted by Jedito, 11-25-2007, 03:09 PM
There's an trojan which does this automatically, the trojan infect the computer and pickup all the FTP book of any FTP program installed in the computer, it does send it to the "hacker" which lately use it to upload the infected data, this happened to one of my resellers awhile ago. to the OP, check on the FTP logs of the affected account which files were uploaded and check if the IP uploading those files mismatch in all them.
Posted by sash, 11-25-2007, 04:21 PM
Hi, Which platforms does this trojan infects? Do you know its name? Thanks, sash
Posted by BudgetVPS, 11-25-2007, 07:21 PM
Is there a way to stop this from happening on a cpanel server?
Posted by zacharooni, 11-25-2007, 08:42 PM
Looks like a buffer overflow JS exploit. NoScript stops it, but I would do this: find / -name *.js | xargs grep unescape
Posted by IPv6, 11-25-2007, 08:46 PM
The code is here: <> Last edited by anon-e-mouse; 11-25-2007 at 09:04 PM.
Posted by zacharooni, 11-25-2007, 08:57 PM
Also, check xferlog and see who uploaded it.
Posted by snickn, 11-25-2007, 09:04 PM
To clarify, there is absolutely no evidence provided that this is at all isolated to cPanel even if it is in fact an issue.
Posted by zacharooni, 11-25-2007, 09:05 PM
Don't paste code like that on a public forum.
Posted by IPv6, 11-25-2007, 09:43 PM
It's already in the OP, just URI encoded.
Posted by bear, 11-25-2007, 10:00 PM
Not any more. Let's try not to feed the "kiddies".
Posted by AndyB78, 11-28-2007, 06:58 AM
Hello Rushik, I can second your findings. The exploit appears all the time on different pages (the page indicated by KIS keeps changing, usually HTML) and it doesn't appear twice for the same IP and this seems to me to be related to IE only. Have you discovered anything new? There is usually NO unescape(), no eval(), no iframe anywhere on the affected accounts. The .js file (this also changes) doesn't even exist anywhere on the server. It's like Trojan-Downloader.JS.Small.fs gets generated on the fly (in our case it tries to download a Exploit.HTML.IESlice.n from <> Any clue anyone? Thanks and regards! Last edited by bear; 11-28-2007 at 07:27 AM.
Posted by rushik, 11-29-2007, 01:34 AM
Hi Andy, I am still trying to find out what would be best way to get it out. As i tried to consult many data centers companies, but the only solution they think of is OS reload. Let me know if you find anything. Any help from anybody would be greatly appreciated. Thanks! Regards Rushik
Posted by Ramprage, 11-29-2007, 10:34 AM
You need to scan all your user accounts for malicious files, not just .js now. An OS reload isn't needed in this case unless you've been rooted which is uncommon in this type of attack.
Posted by AndyB78, 11-30-2007, 03:17 AM
Hello Ramprage, This has absolutely nothing to do with the site itself. One simple test confirms it. Create a new account in WHM, upload a HTML file that is not even HTML (just plain text), change your IP and when you try to visit the "page", it already contains a 5 random character name .js inclusion that can be seen only in browser by viewing the source but not on the server. It gets added somehow on the fly... Regards!
Posted by Scott.Mc, 11-30-2007, 03:29 AM
I know what exploit this is, it injects at the kernel level. You can find it by writing a module for the kernel that lists all loaded modules (it will be hidden from /proc/modules), you also verify it's the same thing by trying to create a file/directory that starts with a number you should get something to the effect of "No such file/directory" (this is part of the rootkit) - otherwise you can go for the quick fix and that is to get a working grsec version that protects writing to /dev/kmem, but good luck compiling because of the number at the start of the file/directories. There are quite a few variants of this some even stop /boot/map from being written so you'll struggle to even get a new kernel without a rescue cd.
Posted by rushik, 01-04-2008, 04:00 PM
Hi All, I wanted to see if anybody got some more insight on the same to resolve the issue. Thanks! Regards Rushik
Posted by StevenG, 01-04-2008, 05:58 PM
You don't have enable_dl = 1 or yes do you in your php.ini? If you do, disable it! The old php hack loading a nasty library can do this, search flame.so (google,wht etc)
Posted by lithiumSEO, 01-05-2008, 12:37 AM
dotable steve - thank you for the info on flame.so, google turned up a great page about it. However, although one of my machines has all of the symptoms, I'm not able to find a flame.so or flame.anything on my server. Do you know of another file name the attackers may be using now?
Posted by StevenG, 01-05-2008, 12:49 AM
First off, Just disable enable_dl in your php.ini and restart apache. Does that solve the problem? Is the injection now solved? After, Try locate *.so or find, anything in /home with .so (but could be called anything) is due a closer inspection.. Also turning on error logging for php after disabling enable_dl might turn up where the scripts are if they exist, as you'll see attempts to load a dl in the error_log error_log = /var/log/php_error_log As an example Last edited by StevenG; 01-05-2008 at 12:56 AM.
Posted by lithiumSEO, 01-05-2008, 12:56 AM
Yes, I did disable the dl function, and I believe the injection has stopped... now to find the culprit is all. Thanks again.
Posted by Scott.Mc, 01-05-2008, 07:28 AM
The post I made above does actually explain pretty much the most common symptoms (it's not flame.so for the thread starter) more specfically you'll notice it by monitoring your packet logs for 5 letter javascript files being outputted in html, these are random 5 digits each time a page loads and are only showed once per IP. Which is done by the exploit hooking into apache by writing to /dev/kmem. The simplest fix is to just go for a grsec kernel that protects /dev/kmem but you'll likely need to boot into a rescue cd and compile that way because from what i've seen so far it will either invoke a panic when you are compiling or like I said above it prevents directories with numbers from being created. Not seen flame.so in awhile myself personally but k2host you would need to explain symptoms simply because theres so many varients and so many different things it could be.
Posted by StevenG, 01-05-2008, 07:32 AM
Well disabling enable_dl in php.ini curing the problem is a tell tale sign that it would be a variant.. to be honest not seen kernel hacks at all common with this type of issue, I'd definitely go the disable enable_dl route first... and then find the problem once the symptoms have disappeared. Not to say that anyone hasn't had a kernel hacked to do it, I just think unlikely.. and the proof is easy to find by disabling a feature in a config file.
Posted by rushik, 01-05-2008, 07:40 AM
Hi Everybody, Thanks for your input. I checked the php.ini file and its already disabled. And also I am unable to find fame.so file. I would really appreciate the same. Thanks! Regards Rushik Shah
Posted by StevenG, 01-05-2008, 07:45 AM
In your case then, it is time to get someone who knows what they are doing, as it looks like your box is rooted
Posted by rushik, 01-05-2008, 07:46 AM
Yes Scott, You are absolutely right. Regards Rushik
Posted by lithiumSEO, 01-06-2008, 01:47 AM
I've also disabled the dl function and the problems are back. I found a thread on another forum with the same symptoms I'm having, but they didn't include their solution: http://www.domelights.com/forums/ind...howtopic=17492 Who do you suggest I contact to get the server fixed? We've been pulling our hair out for days over this.
Posted by StevenG, 01-06-2008, 01:50 AM
You could compile a monolithic kernel (no modules) on a clean box and patch it with grsec. Then just copy the new kernel onto the infected box - boot from that and dig further or hire someone to fix it for you.
Posted by SamCrawford, 01-12-2008, 01:06 PM
Is it definitely a kernel module that's been poisoned / added? It seems more likely that an Apache module would have been modified and reloaded. All content served by Apache is passed via these modules, so it would be relatively trivial to implant the