The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Virus On cPanel server

Discussion in 'Security' started by MurdochNZ, Jan 13, 2008.

  1. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    My business runs a cPanel server, and we had a most odd problem this weekend. When you visited a particular site, a file would end up in Firefox's cache that AVG said was a "Virus Identified Exploit" but would not name the virus. I scanned the site files, a copy of the site made by WinHTTrack (it's powered by a CM) and found nothing. However, the boss did the same download and found a uleso.js, Google returns no results for this, and alas AVG deleted it. This is consistent with what I saw - sometimes the site would infect me, sometimes not. My downloaded copy lacked this file, his did not. Even more strange, he did a search for this file name on the downloaded site code and could not find a reference to it.

    The site now seems clean. I'm really bewildered by the whole thing. Has anyone here encountered something like this before?
     
  2. idealso

    idealso Active Member

    Joined:
    Mar 1, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Does the site use ads from an adserver, or any other included external content?
     
  3. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    No, not at all. Everything is on the server.
     
  4. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Update: I caught it in the act....

    <body leftmargin="0" topmargin="0"><script language='JavaScript' type='text/javascript' src='pfatc.js'></script>

    That JS line is not part of the original file. Alas the JS didn't end up in my cache cause it stalled in Firefox. The file was gone by the time I checked the FTP, and the reference itself is gone now too. Other sites on our server are affected.
     
  5. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    run

    Code:
    clamscan -ri
    ClamAV will scan your entire server and display all infections, consider running rkhunter too.
     
  6. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    We don't have those installed. I'll see what I can do about getting them set up.

    I have managed to isolate the script. It's full of escaped code that it unescapes then outputs with document.write. I'm trying to rewrite it to output those escaped parts as normal but my AV gets in the way, might try doing it in PHP.
     
  7. n1zyy

    n1zyy Member

    Joined:
    Mar 16, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    This sounds exactly like something being discussed over on WebHostingTalk: http://www.webhostingtalk.com/showthread.php?t=651748

    It's the same MO there -- five-character .js names being randomly inserted.

    Not a ton seems to be known yet, but you're far from the first one to notice it.

    Edit: The folks over on WHT are saying that RKHunter doesn't pick this up.
     
    #7 n1zyy, Jan 14, 2008
    Last edited: Jan 14, 2008
  8. n1zyy

    n1zyy Member

    Joined:
    Mar 16, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I wrote a little PHP script to do it. First, a warning: don't view the output in your web browser! :D

    When you view the output, it seems that there's still an encoded string inside. It looks like it's encoded differently, too. (Unicode?)

    The following works:

    grep unescape nmtpm.js >> escape.txt

    (Substituting nmtpm.js for the name of whatever your JS file is.) This extracts just the unescape(... lines.

    Then, parse the file with PHP like so:

    <?php
    $FILE = '/home/n1zyy/escape.txt';
    $fh = fopen($FILE,'r');
    $contents = fread($fh, filesize($FILE));
    fclose($fh);

    $array = explode('%', $contents);
    echo "<pre>";
    for($i=0; $i<sizeof($array); $i++) {
    $x = $array[$i];
    echo chr(hexdec($x));
    }
    ?>

    Again, don't view the output in your web browser! It's incomplete, so I didn't seem to have any problems, but don't risk it. :) I recommend using wget to retrieve the PHP output, and then viewing it in vi or less or such. (If you do view it in a web browser, the page will be blank: it includes the JavaScript tags, so you have to view the source.)
     
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Not to dismay your script and effort but I believe this javascript injection is in real time through server memory. Therefor no actual pages that reside on the server are modified, just as your browser loads them up.

    At least this is what I've seen for the vast majority of exploits like this, 1/5 actually modify the pages on the server. The others just modify the memory output. So you won't ever see .js if you view the source of the page from the servers shell console.
     
  10. pjman

    pjman Well-Known Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Question for ramprage...

    How are they getting onto the memory. Any idea what is the main avenue they are using for the exploit? I'm reading all over that everyone is scratching their head on this one, but it's only hitting Microsoft servers, not Linux. Any ideas?
     
  11. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    It's on Linux. I just looked at a cPanel server today with latest kernel that was infected. One way to tell if you have it is to login as root shell

    mkdir 123

    If You can't make directories with numeric values then you've been compromised. The box I looked at was CentOS 4.

    That's about all that's known about it right now. Also that it's changing the port 80 output and doing injections in real time. From what others think it's not an Apache addon. Seems like some kind of 0 day kernel exploit they're using to spread crap on websites to infect Windows PCs.
     
  12. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    This issue is indeed due to a compromise. The compromise is at the root level and a rootkit has been installed. This rootkit will attach to several syscalls within the kernel and begin serving malicious javascript to random web visitors.

    This root compromise is not related to cPanel directly, as it has been reported on many different control panels on many different servers. The compromise is at the system level, and only Redhat 4, CentOS 4, and FC6 appear to be vulnerable at this time. We are actively researching this issue and will have an in-depth analysis of current information posted soon.

    The easiest way to confirm the compromise is to attempt to make a directory with a numerical name. Run 'mkdir 1' or 'touch 2'. If this fails with an error similar to the errors below, then it's recommended to contact your datacenter, NOC or a qualified admin who can recover the system properly.

    Code:
    [root\@cpanel ~]# mkdir 1
    mkdir: cannot create directory `1': No such file or directory
    
    [root\@cpanel ~]# touch 2
    touch: cannot touch `2': No such file or directory
    
     
    #12 ToddShipway, Jan 15, 2008
    Last edited: Jan 15, 2008
  13. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
  14. pjman

    pjman Well-Known Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    CPanel A 1000 Thanks.

    I'm seeing so much info on the web about this kind of compromise, it's got me freaked. I'll follow that thread daily.
     
  15. Scott.Mc

    Scott.Mc Member

    Joined:
    Feb 22, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    As I mentioned on IRC the explanation is somewhat wrong on the cleanup because the original binary is not always there and you have no way to determine what is the original binary.

    The creating directories/filenames with numbers issue is not a reliable way to determine, as this only works in newer variants. Another symptom is it preventing kernels related tools from being compiled (That includes mod-init-tools) it will invoke a panic when you attempt to compiling any such tools.

    The most reliable way to determine is to check your sys_call_table , for the stock kernels you will need kernel-debuginfo.

    Another is to check your outgoing packets,

    For older versions of tcpdump (Such as the ones provided with RHEL3/centOS3)

    The grsecurity fix people are mentioning does not remove this, it simply stops it from writing to /dev/mem (or /dev/kmem depending on what is available) however the second you boot out of this kernel you are likely to be vulnerable again.

    The rootkit itself is rather simple in terms of how it actually functions, it uses common binaries as listed in the article (there’s another binary not listed from the older variants of this [that don't prevent the numbers at the start of file names/directories]). Replacing those binaries in the manner suggested is not the safest option and there is not always a copy, you should replace these from the binaries from your distribution. In the particular case it’s actually rather easy to do , simply remove the attributes to the files, remove the files themselves(not needed, but do it anyway) and then reinstalled the RPM’s (As this is always on an RPM based distribution) there’s only 3 rpm’s that are needed to be reinstalled.

    Lastly, if you are not comfortable working with the kernel/debuggers then HIRE A QUALIFIED ADMINISTRATOR there’s plenty of them out there.
     
  16. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Is there any way to know if the rootkit has been installed without rebooting a server? The way I understand the numerical mkdir test will only work if the rootkit is up and running (i.e. after you have rebooted a system that has the rootkit installed) or is my thinking wrong?

    Another words, if your server has been compromised, but you have not rebooted your server in several weeks, is there a way to detect the rootkit?

    Apologies if this has been stated somewhere, I've read through a lot of posts and articles and did not see where there were any answers to this question, but I may have overlooked it.
     
  17. Scott.Mc

    Scott.Mc Member

    Joined:
    Feb 22, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Yes see my last post, the first method you would need a qualified system administrator and I would strongly advise that you check that the administrators are actually capable of such tasks.

    The second option is to sniff the packets also highlighted in my second post.
     
  18. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the update Todd. I can confirm CentOS 5 is also affected by this exploit.
     
  19. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Would it be possible to submit a ticket with information on a centos5 box that has been exploited in this way? I'd like to login if possible and look around the system if it's still online in the infected state?
     
  20. MurdochNZ

    MurdochNZ Member

    Joined:
    Jan 13, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Todd, I am afraid the server has been pulled by our data centre and will be reinstalled sometime today.
     
Loading...

Share This Page