httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Juan Soprano" <topgunpi...@hotmail.com>
Subject [users@httpd] Apache - HTTP Reply - Javascript Virus
Date Mon, 28 Sep 2009 14:34:05 GMT
I currently have a production server setup with a large quantity of domains
being hosted. During the past week, the server has been attacked by a virus
and I have had zero luck tracking it down.

Here are the symptoms:
1) Attacks all domains randomly
2) Occurs on random page loads
3) The virus comes and goes, but has always returned (on the first HTTP
request to any of the domains the reply is the javascript code, on the
second request from the same browser gets the correct HTTP reply from the
website)
4) When a page is requested, regardless of domain and page, the requested
page is not sent but an html page with infected javascript (the page is
designed to redirect the user to some third party site to purchase virus
protection). Below is the html page that is sent.
5) Restarting the HTTPD service fixes the issue temporarily.

My server setup is the following:
Centos 5.3
Apache 2.2.3
PHP 5.1.6
MySQL 5.0.77

I have scanned and rescanned the server and nothing has come up. At this
point my best guess is that someone is able to execute remote code which
intercepts the page requests. 

How can I track down what the entry point is? Can anyone offer any advanced
suggestions where to start? 

Thanks!!

Best wishes,

Juan

INFECTED HTML PAGE:
<html><head><script type="text/javascript" language="javascript"> var
nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime(
)+014*074*074*01750);
document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64
\x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31
\x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x2 0pat\x68\075\x2f;
\x65xpir\x65s="+nxdxwfc.toGMTString( ); </script>
</head><body></body></html>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message