Avatar of code4design
Flag for United States of America asked on

How to remove suspicious Javascript prepended on files under a Linux Server?

Hi, unfortunately our server www8.eonconnect.com seems to have been compromised with an exploit similar to this: http://blog.cpanel.net/?p=31
(even though it's not running cpanel, it seems similar)

For example if you run this at the commandline:
curl http://www8.eonconnect.com
you should get a blank html page page with no javascript (don't visit this with a browser)

But every 10th time or so, you get a malware script inserted at the top of the page.

Whatever it is, it hides itself well. If you run the following:
curl http://www8.eonconnect.com
from the server itself, you will get nothing unusual, it seems not to activate when accessed from its own ip.

But if from another machine you run that, you will get a javascript prepended, which loads a script from the domain wo94ni.cn . It seems to record ip addresses accessing it, so it will usually show the first time, and then you may have to rerun the curl command 10 or 20 times to see it again, and then after a certain number of times it will stop showing altogether for that client IP. We had 3 people in different locations spend a couple hours verifying this behavior yesterday.

In the article referenced or something linked from it, I read that it somehow loads itself into memory so that it can't be detected by checking for filesystem changes? Not sure how true that is, this is beyond my area of expertise. But we're sure that something is able to intermittently add a malicious javascript to web pages served from the server.

I installed 2 rootkit detectors, one called Rootkit HUnter and the other one Chrootkit, I'm attaching the log files if they are helpful at all.

Your help is really appreciated!
Linux DistributionsLinux SecurityApache Web Server

Avatar of undefined
Last Comment

8/22/2022 - Mon

can you please post the malicious output of your curl command

Hi ahoffmann, thanks for replying, we are making a couple more tests since when we found this thing we started strengthening our server ways of accessing it and our most common was ssh, it was using a password based authentication and I modified the config file a bit so its now key based and since that moment we have ran test scripts for this malicious script detection and is not coming up anymore, probably our password was compromised in someway and since now they dont have any keys they are not being able to access it anymore.

I'll inform you about anything that comes up between today and tomorrow, hopefully I've closed the door to that pesky script...  :P

hmm, I don't understand what ssh has to do with your web server (except someone managed to login and install some malware)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Yeah its really weird, but the behavior has been that, I'll keep you guys posted about any changes we see between today and tomorrow.

Thanks for replying!

When I saw your reply I was about to post the response I sent to you, what I mean is that I wasn't going to forget about replying...  ;)

Hi we haven't had any more incidences of this script up to this day but we are thinking on a OS restore since the server was compromised from the time we were getting that script which looked something like this anyway:
clean curl www8.eonconnect.com

with the script curl www8.eonconnect.com

Anyway.. the script doesn't matter in terms of what it exactly was since you wouldn't visit the appended link anyway.

Now the reason I replied with this is to see if anyone has seen this before and knows exactly what it was so you can orient me on how to verify that is not in our servers anymore or how to look for it if you have a previous experience with this and are certain that there is a big chance that is still inside and how to remove it, and all of this to see if we can avoid the OS restore which would be a big job for us in terms of customizations.

Your help is really appreciated

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.