Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 75014 invoked from network); 28 Sep 2009 14:35:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 28 Sep 2009 14:35:26 -0000 Received: (qmail 24764 invoked by uid 500); 28 Sep 2009 14:35:22 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 24743 invoked by uid 500); 28 Sep 2009 14:35:22 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 24734 invoked by uid 99); 28 Sep 2009 14:35:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Sep 2009 14:35:22 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of topgunpilot@hotmail.com designates 65.54.246.108 as permitted sender) Received: from [65.54.246.108] (HELO bay0-omc1-s36.bay0.hotmail.com) (65.54.246.108) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Sep 2009 14:35:12 +0000 Received: from BAY115-DS5 ([65.54.250.93]) by bay0-omc1-s36.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 28 Sep 2009 07:34:52 -0700 X-Originating-IP: [200.123.189.37] X-Originating-Email: [topgunpilot@hotmail.com] Message-ID: From: "Juan Soprano" To: Date: Mon, 28 Sep 2009 11:34:05 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcpASLsr+vGR7+D3Q+26KRIZ1TRddQ== Content-Language: es-ar X-OriginalArrivalTime: 28 Sep 2009 14:34:52.0334 (UTC) FILETIME=[D70E44E0:01CA4048] X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Apache - HTTP Reply - Javascript Virus I currently have a production server setup with a large quantity of domains being hosted. During the past week, the server has been attacked by a virus and I have had zero luck tracking it down. Here are the symptoms: 1) Attacks all domains randomly 2) Occurs on random page loads 3) The virus comes and goes, but has always returned (on the first HTTP request to any of the domains the reply is the javascript code, on the second request from the same browser gets the correct HTTP reply from the website) 4) When a page is requested, regardless of domain and page, the requested page is not sent but an html page with infected javascript (the page is designed to redirect the user to some third party site to purchase virus protection). Below is the html page that is sent. 5) Restarting the HTTPD service fixes the issue temporarily. My server setup is the following: Centos 5.3 Apache 2.2.3 PHP 5.1.6 MySQL 5.0.77 I have scanned and rescanned the server and nothing has come up. At this point my best guess is that someone is able to execute remote code which intercepts the page requests. How can I track down what the entry point is? Can anyone offer any advanced suggestions where to start? Thanks!! Best wishes, Juan INFECTED HTML PAGE: --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org