stdout

Well-Known Member
Apr 10, 2003
189
6
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
Getting reports of Redirections to Malicious/3rd Party websites?
Mailing IP landing up on tons of RBL's? Yup. It's possible... Dark Leech

I was surprised on my findings. The infection runs quitely. Don't bother tracking by file modification dates -- doesn't help.

I encourage everyone to run this if they have root to a shared server.
The script checks if your Apache installation is infected.

Code:
#!/bin/bash

grep LoadModule /etc/httpd/conf/httpd.conf | grep -v \# > /root/apache_modules.log
grep "Include " /etc/httpd/conf/httpd.conf | grep -v \# | cut -d\" -f2 | xargs grep LoadModule 2>/dev/null | cut -d: -f2 >> /root/apache_modules.log
cat /root/apache_modules.log | awk {'system("strings /etc/httpd/"$3" |grep -E \"dlEngine|module switcher|INJECT_DO|xor_decrypt_string\"")'} > /root/apache_result.pid
apache_result=$(stat -c %s "/root/apache_result.pid")

if [ "$apache_result" -gt 10 ]; then
   echo "INFECTED!"
else
   echo "CLEAN!"
fi
I could make the script cleaner, but it works. :)