server hacked, couple of questions

So I have a server that appears to be compromised. Randomly users visiting any of the sites on the server get redirected to an adult website. Now, I've manually looked through many of the files, and run them through ConfigServer Exploit Scanner, and they are all clean.

Here are things I've done:

1. I've gone through and looked for footprints of the darkleech backdoor according to many different sites that gave info on how to detect. None were found.
2. I've run a couple detectors that look for the CDorked exploit, and they all came back clean.
3. I ran maldetect on the entire system, and it came back clean.
4. I've changed all root and ftp passwords
5. I updated the kernal
6. I ran easyapache

I know the server has to be compromised because these redirects are still happening. Are their any other exploits anyone knows about that maybe I could look for?

I read that the CDorked exploit replaces the http binary. How could I make sure that binary isn't corrupted? If I were to move that binary from another server would that work, or would it crash apache?

 

Yea, I went through all the files manually, but none were infected. .htaccess was clean, etc. It has all the symptoms of the darkleech or CDorked, but I can't find a trace of anything. I looked through all the loaded apache modules, and they all seem legit, but that doesn't mean one wasn't replaced. We are going to move everything to a clean server...i think that is the only true way to know we are clean. I was just curious if anyone had any other ideas of what to check. I would have really liked to verify for sure the server was compromised.

 

I agree, and that's what we did. I just really wanted to find this darn thing, for two reasons: 1. to see what they were doing for my own personal knowldege, and 2. to be sure we didn't take it with us for any reason.

Instead of using the cpanel to cpanel transfer (because I have no idea what they may have changed), I did a manual transfer of all the sites on the server.

So far after the move we haven't had any more issues. So I'm 99.999% sure it was a root level hack, but I just can't find it anywhere. So I'm thinking it must be yet another variation of the darkleech/cDorked exploit, because I couldn't find any footprints of them, yet it had all the symptoms of those.

 

Thanks for the information. Yea, I've seen all kinds of attacks over the years. Tons of joomla, wordpress, phpbb attacks (thank goodness for mod_security and CXS exploit scanner now days...helps a ton) This particular customer's website is all custom-programmed by me, so I know every file pretty intimately. I manually went through them and didn't find anything out of place.

I've checked every .htaccess file throughout his site(s), but all appear to be clean as well.

With the darkleech exploit they were saying that they will often either overwrite an apache module, or load a fictitious one that redirects traffic....but only traffic that meets certain rules, such as 1. It has to come from a search engine. 2. They search the server logs and don't serve it to anyone that has logged into cpanel, ssh, etc. as they figure you are a server admin and 3. They cookie you so they don't serve their content (virus or redirect to adult site) to you twice.

With the cDorked exploit they did all the same above, but instead of replacing an actual apache module, apparently took it a step further and actually replace your httpd binary.

Both of those are apparently very hard to trace, but do leave some footprints. But now I'm thinking this may be a new one, because I didn't find any of those.

On that side note, most of the time it was going to a "friendfinder" adult site. But some of the times it would try to deliver a virus/trojan payload called darkHorse or something like that, then redirect to the adult site.

They were super sneaky about it, and again, with those above requirements, they were only redirecting about 25-30% of the traffic coming into the site....so not everyone was redirected.