The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dark Leech - check script

Discussion in 'General Discussion' started by stdout, Jul 1, 2013.

  1. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Getting reports of Redirections to Malicious/3rd Party websites?
    Mailing IP landing up on tons of RBL's? Yup. It's possible... Dark Leech

    I was surprised on my findings. The infection runs quitely. Don't bother tracking by file modification dates -- doesn't help.

    I encourage everyone to run this if they have root to a shared server.
    The script checks if your Apache installation is infected.

    Code:
    #!/bin/bash
    
    grep LoadModule /etc/httpd/conf/httpd.conf | grep -v \# > /root/apache_modules.log
    grep "Include " /etc/httpd/conf/httpd.conf | grep -v \# | cut -d\" -f2 | xargs grep LoadModule 2>/dev/null | cut -d: -f2 >> /root/apache_modules.log
    cat /root/apache_modules.log | awk {'system("strings /etc/httpd/"$3" |grep -E \"dlEngine|module switcher|INJECT_DO|xor_decrypt_string\"")'} > /root/apache_result.pid
    apache_result=$(stat -c %s "/root/apache_result.pid")
    
    if [ "$apache_result" -gt 10 ]; then
       echo "INFECTED!"
    else
       echo "CLEAN!"
    fi
    I could make the script cleaner, but it works. :)
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Downloaded script added to your post. Please don't link to an outside source like that.
     
  3. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Infection goes by the name of Blackhole aswell FYI
     

Share This Page