Re: Apache - HTTP Reply - Javascript Virus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 28.09.09 11:34, Juan Soprano wrote:
> I currently have a production server setup with a large quantity of domains
> being hosted. During the past week, the server has been attacked by a virus
> and I have had zero luck tracking it down.
> 
> Here are the symptoms:
> 1) Attacks all domains randomly
> 2) Occurs on random page loads
> 3) The virus comes and goes, but has always returned (on the first HTTP
> request to any of the domains the reply is the javascript code, on the
> second request from the same browser gets the correct HTTP reply from the
> website)
> 4) When a page is requested, regardless of domain and page, the requested
> page is not sent but an html page with infected javascript (the page is
> designed to redirect the user to some third party site to purchase virus
> protection). Below is the html page that is sent.
> 5) Restarting the HTTPD service fixes the issue temporarily.
> 
> My server setup is the following:
> Centos 5.3
> Apache 2.2.3
> PHP 5.1.6
> MySQL 5.0.77
> 
> I have scanned and rescanned the server and nothing has come up. At this
> point my best guess is that someone is able to execute remote code which
> intercepts the page requests. 
> 
> How can I track down what the entry point is? Can anyone offer any advanced
> suggestions where to start? 

check if your server is not hacked at first. 
our customers' webs are also a subject to virus attacks, but the attackers
only modify their files using FTP. Behaviour you describe indicates something 
plugged into apache...

-- 
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux