Hi, unfortunately our server www8.eonconnect.com seems to have been compromised with an exploit similar to this:
http://blog.cpanel.net/?p=31(even though it's not running cpanel, it seems similar)
For example if you run this at the commandline:
curl
http://www8.eonconnect.comyou should get a blank html page page with no javascript (don't visit this with a browser)
But every 10th time or so, you get a malware script inserted at the top of the page.
Whatever it is, it hides itself well. If you run the following:
curl
http://www8.eonconnect.comfrom the server itself, you will get nothing unusual, it seems not to activate when accessed from its own ip.
But if from another machine you run that, you will get a javascript prepended, which loads a script from the domain wo94ni.cn . It seems to record ip addresses accessing it, so it will usually show the first time, and then you may have to rerun the curl command 10 or 20 times to see it again, and then after a certain number of times it will stop showing altogether for that client IP. We had 3 people in different locations spend a couple hours verifying this behavior yesterday.
In the article referenced or something linked from it, I read that it somehow loads itself into memory so that it can't be detected by checking for filesystem changes? Not sure how true that is, this is beyond my area of expertise. But we're sure that something is able to intermittently add a malicious javascript to web pages served from the server.
I installed 2 rootkit detectors, one called Rootkit HUnter and the other one Chrootkit, I'm attaching the log files if they are helpful at all.
Your help is really appreciated!
Thanks
Start Free Trial
