tunafish Posted January 11, 2008 Share Posted January 11, 2008 There is a MAJOR Root Kit going around. It will infect the server at kernel binary level, infected our server on Centos 5 running Cpanel 11 fully updated mind you (it's NOT just limited to CPANEL servers so watch out please!) Others have been infected on fedora etc, so it's not a distro thing. Once this is done it will on the fly randomly inject javascript into any site requests that are called. It wont change any user files. The javascript call looks something like this <script language='JavaScript' type='text/javascript' src='avabf.js'></script> The javascript will be random letters like that and will of course not exists. It will be detected as a trojan on some antivirus scanners or if your using IE7 Look like this http://img296.imageshack.us/my.php?image=errorst5.jpg Now i might add that ossec rkhunter chkrootkit will not find anything. The rootkit will also be hidden. Also you will find that once you are infected it wont let you make any folders with numbers. This i might add is the same for SSH logins with root and those from FTP and so on The exact error will be mkdir 12345 mkdir: cannot create directory `12345': No such file or directory From what i have seen really the only effective way to remove it, is to do an OS reload. There is alot of talk about this on WHT under here: http://www.webhostingtalk.com/showthread.php?t=661900 http://www.webhostingtalk.com/showthread.php?t=651748 http://www.unix.com/unix-advanced-expert-u...ctory-name.html Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted January 11, 2008 Veteran Share Posted January 11, 2008 You got an OS reload like we were talking about on the IRC, right? Link to comment Share on other sites More sharing options...
tunafish Posted January 11, 2008 Author Share Posted January 11, 2008 Yes i did. This is what i was talking about on IRC but never fully knew what the issue was then at the time. But now i do. Link to comment Share on other sites More sharing options...
Knife Party Posted January 11, 2008 Share Posted January 11, 2008 lol - * updating KAV * Link to comment Share on other sites More sharing options...
Argi Posted January 11, 2008 Share Posted January 11, 2008 Hope someone can find out more info about it. I always enjoy reading about how these things work. Link to comment Share on other sites More sharing options...
dragon2611 Posted January 15, 2008 Share Posted January 15, 2008 You got an OS reload like we were talking about on the IRC, right? Yes we did, best way to ensure the system is clean. Also got in someone to help secure the box this time around. Seems to be hitting a lot of servers and the worrying thing is somehow its replacing system binaries so that it gets loaded on bootup. At the moment running a kernel (probably a good idea to have a monolithic kernel, i.e no module support) that's patched to prevent writing to the kernel memory space (/dev/kmem? /dev/mem?) seems to stop it from loading although I don't think it stops it being put there just means its unable to load itself on bootup. From what people over at WHT are saying however once infected and loaded into the system it makes it rather hard to build a new kernel though you have to build the kernel on another machine.and then load it onto the machine. It's a real nasty piece of work. http://www.theregister.co.uk/2008/01/11/my..._web_infection/ http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3 Link to comment Share on other sites More sharing options...
Recommended Posts