server hacked, couple of questions

[noimad1]

So I have a server that appears to be compromised. Randomly users visiting any of the sites on the server get redirected to an adult website. Now, I've manually looked through many of the files, and run them through ConfigServer Exploit Scanner, and they are all clean.

Here are things I've done:

1. I've gone through and looked for footprints of the darkleech backdoor according to many different sites that gave info on how to detect. None were found.
2. I've run a couple detectors that look for the CDorked exploit, and they all came back clean.
3. I ran maldetect on the entire system, and it came back clean.
4. I've changed all root and ftp passwords
5. I updated the kernal
6. I ran easyapache

I know the server has to be compromised because these redirects are still happening. Are their any other exploits anyone knows about that maybe I could look for?

I read that the CDorked exploit replaces the http binary. How could I make sure that binary isn't corrupted? If I were to move that binary from another server would that work, or would it crash apache?

 

[Sreejit]

If you rebuilt the Apache then I don't think the http binary is corrupt. The issue may be with either the apache configuration files, .htaccess in public_html folder or the code in index files which which is making the redirection. No scanner is 100% perfect, You will have to check it manually.

Also once hacked there is always a possibility that some backdoor files may have remained even when you clean the server.

 

[noimad1]

Yea, I went through all the files manually, but none were infected. .htaccess was clean, etc. It has all the symptoms of the darkleech or CDorked, but I can't find a trace of anything. I looked through all the loaded apache modules, and they all seem legit, but that doesn't mean one wasn't replaced. We are going to move everything to a clean server...i think that is the only true way to know we are clean. I was just curious if anyone had any other ideas of what to check. I would have really liked to verify for sure the server was compromised.

 

[cPanelMichael]

Hello

You mentioned checking the .htaccess file. Did you check for .htaccess files above the public_html directory or within sub-directories for entries that might be redirecting the websites?

Thank you.

 

[tank]

I think a clean server is the best option. Better to "know" everything is secure.

 

[noimad1]

I think a clean server is the best option. Better to "know" everything is secure.

I agree, and that's what we did. I just really wanted to find this darn thing, for two reasons: 1. to see what they were doing for my own personal knowldege, and 2. to be sure we didn't take it with us for any reason.

Instead of using the cpanel to cpanel transfer (because I have no idea what they may have changed), I did a manual transfer of all the sites on the server.

So far after the move we haven't had any more issues. So I'm 99.999% sure it was a root level hack, but I just can't find it anywhere. So I'm thinking it must be yet another variation of the darkleech/cDorked exploit, because I couldn't find any footprints of them, yet it had all the symptoms of those.

 

[vanessa]

There are a few ways the redirects could have happened. If your sites have a single application in common (ie Joomla, every hacker's favorite), something could have been injected into the code or database to alter the site's headers. If you open up your browser's console and load one of the sites, there's a remote possibility you might find something interested, too.

I've also seen situations where a proxy was installed over the web server to redirect traffic. As mentioned also, you should also check for .htaccess files above the document roots as well. I've occasionally seen includes added to httpd.conf (there are some folders that Apache will load any .conf file from) to force redirects.

Either way, you did the right thing by moving to a new server. Once a box is rooted, even if you think you know what the hacker did, you can't trust it. If the problem didn't recur when you moved the sites to the new server, it's likely you didn't take it with you.

On a side note, were they are least being redirected to a good porn site?

 

[noimad1]

There are a few ways the redirects could have happened. If your sites have a single application in common (ie Joomla, every hacker's favorite), something could have been injected into the code or database to alter the site's headers. If you open up your browser's console and load one of the sites, there's a remote possibility you might find something interested, too.

I've also seen situations where a proxy was installed over the web server to redirect traffic. As mentioned also, you should also check for .htaccess files above the document roots as well. I've occasionally seen includes added to httpd.conf (there are some folders that Apache will load any .conf file from) to force redirects.

Either way, you did the right thing by moving to a new server. Once a box is rooted, even if you think you know what the hacker did, you can't trust it. If the problem didn't recur when you moved the sites to the new server, it's likely you didn't take it with you.

On a side note, were they are least being redirected to a good porn site?

Thanks for the information. Yea, I've seen all kinds of attacks over the years. Tons of joomla, wordpress, phpbb attacks (thank goodness for mod_security and CXS exploit scanner now days...helps a ton) This particular customer's website is all custom-programmed by me, so I know every file pretty intimately. I manually went through them and didn't find anything out of place.

I've checked every .htaccess file throughout his site(s), but all appear to be clean as well.

With the darkleech exploit they were saying that they will often either overwrite an apache module, or load a fictitious one that redirects traffic....but only traffic that meets certain rules, such as 1. It has to come from a search engine. 2. They search the server logs and don't serve it to anyone that has logged into cpanel, ssh, etc. as they figure you are a server admin and 3. They cookie you so they don't serve their content (virus or redirect to adult site) to you twice.

With the cDorked exploit they did all the same above, but instead of replacing an actual apache module, apparently took it a step further and actually replace your httpd binary.

Both of those are apparently very hard to trace, but do leave some footprints. But now I'm thinking this may be a new one, because I didn't find any of those.

On that side note, most of the time it was going to a "friendfinder" adult site. But some of the times it would try to deliver a virus/trojan payload called darkHorse or something like that, then redirect to the adult site.

They were super sneaky about it, and again, with those above requirements, they were only redirecting about 25-30% of the traffic coming into the site....so not everyone was redirected.

 

[hrr1963]

Infected workstation?

 

[psrsathish]

Please follow the below steps to clean the website and to find the root cause.

1. Check all the webfiles under public_html inorder to find If there is any iframe,js script is injected. Please check all the webfiles in sub directories too.

2. Check the .htaccess files under public_html and in all other sub directories.

3. Check If there is any .htacces file resides in front of "public_html" folder. For ex under "/home/user/". If found please remove it.

4. Scan the site thruogh Sucuri SiteCheck - Free Website Malware Scanner If your site is injected with malware then this will scan and provide the result of the infected file.

5. If it is a CMS site then please check if there is any DB injection attack was hapeened. Please follow the below steps to find If the DB was injected with any malware.

(a) Goto cd /var/lib/mysql/

(b) mysqldump -u root -p DBNAME > DBNAME.sql

(c) Once the dump is created the open this DB dump by using VI editor and then search with the websitename that was redirect when navigating the original website.

(d) If you found that website name during search then this is due to mysql injection attack. so follow the below mentioned steps to remove this injected malware.

(e) If you expert in mysql queries then you can find the exact field where this code was injected. If not open this DB through phpmyadmin and search with the website name(Website name means the one that was redirectd and displayed while accessing the original site) and If you found then remove it.

6. If the above steps didn't help then open httpd.conf and check the document root entries for the site inorder to find any suspicious entry. Checked all the entries in the httpd.conf file, Also check the global document root path too.