I currently have a production server setup with a large quantity of domains being hosted. During the past week, the server has been attacked by a virus and I have had zero luck tracking it down. Here are the symptoms: 1) Attacks all domains randomly 2) Occurs on random page loads 3) The virus comes and goes, but has always returned (on the first HTTP request to any of the domains the reply is the javascript code, on the second request from the same browser gets the correct HTTP reply from the website) 4) When a page is requested, regardless of domain and page, the requested page is not sent but an html page with infected javascript (the page is designed to redirect the user to some third party site to purchase virus protection). Below is the html page that is sent. 5) Restarting the HTTPD service fixes the issue temporarily. My server setup is the following: Centos 5.3 Apache 2.2.3 PHP 5.1.6 MySQL 5.0.77 I have scanned and rescanned the server and nothing has come up. At this point my best guess is that someone is able to execute remote code which intercepts the page requests. How can I track down what the entry point is? Can anyone offer any advanced suggestions where to start? Thanks!! Best wishes, Juan INFECTED HTML PAGE: <html><head><script type="text/javascript" language="javascript"> var nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime( )+014*074*074*01750); document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64 \x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31 \x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x2 0pat\x68\075\x2f; \x65xpir\x65s="+nxdxwfc.toGMTString( ); </script> </head><body></body></html> --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|