Spam sending trojan?

system · January 10, 2012, 2:02pm

Hello,

I have a big problem with my server. As I wrote it earlier, I had a high server load. I solved the problem, it was a malware. I had this problem again today and I found the file that caused the high load.

My IP was listed at http://cbl.abuseat.org/, after the cleaning I delisted it. I did it last time at 24th December and everything was fine utill today. Is there any solution to protect my server against this infection? I attached the text from abuseat.org

The infected part of the code stared with eval(base64_decode(…

IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2012-01-10 16:00 GMT (+/- 30 minutes), approximately 3 hours ago.

It has been relisted following a previous removal at 2011-12-24 17:12 GMT (17 days, 2 hours, 14 minutes ago)

This IP is infected with, or is NATting for a machine that is infected with, a PHP-based backdoor trojan. The most common target of this infestation is Plesk hosting environments using Qmail and Wordpress or CPanel hosting environments.

Thank you sour help!

Regards,
Adam

zombie_process · January 19, 2012, 12:12pm

Looking at netstat and ps can show you if you have rogue processes running on your box sometimes. There are lots of online articles about redirects or spambots with base64 code in them. Basically, what I do is grep through all of the domain files on the server and look for that string, obfuscated or not.

BADSTRING="e[^a-z]*v[^a-z]*a[^a-z]*l[^a-z]*b[^a-z]*a[^a-z]*s[^a-z]*e[^a-z]*6[^a-z]*4[^a-z]*_[^a-z]*d[^a-z]*e[^a-z]*c[^a-z]*o[^a-z]*d[^a-z]*e"

find /path/to/files -type f -exec egrep -l $BADSTRING '{}' +

TBH, I don’t remember why I used egrep there rather than grep - I might have been searching for more than one string at one point, but whatever. On the plus side, I’ve found this (stuck in a larger script that emails me after checking the files once a day) quite useful. On the minus side, if you run this on your live server it will drive your load way up. This works best if your files are on a filer, or if you do nightly backups (unzipped) and can search the backups rather than the live files.

IWorx-David · January 19, 2012, 12:26pm

In general, when checking processes on your server with ps auxf, you should get a list of apache processes that look similar to this

apache 30638 0.0 0.5 299116 6152 ? S 02:33 0:00 _ /usr/sbin/httpd -DSSL
apache 30639 0.0 0.5 299116 6152 ? S 02:33 0:00 _ /usr/sbin/httpd -DSSL
apache 30640 0.0 0.5 299176 6152 ? S 02:33 0:00 _ /usr/sbin/httpd -DSSL
apache 30641 0.0 0.5 299116 6152 ? S 02:33 0:00 _ /usr/sbin/httpd -DSSL
apache 30642 0.0 0.5 299176 6152 ? S 02:33 0:00 _ /usr/sbin/httpd -DSSL
apache 30984 0.0 0.5 299116 6152 ? S 02:35 0:00 _ /usr/sbin/httpd -DSSL

If any other httpd processes look any different, it may be a good idea to switch to that process’s directory in /proc and try to examine what its really doing to see if anything is fishy.

system · January 19, 2012, 12:28pm

Thank you! I’m using Linux Malware Detect now (http://www.webhostingtalk.com/wiki/Linux_Malware_Detect). I uploaded test files and the program cleaned them successfully. I set up a cron job on every five minutes to check the home directory. It can check only those files, which were edited in last 1 day, so that is very fast.

IWorx-David · January 19, 2012, 12:31pm

This is what a normal apache process looks like in one of my test boxes:

[root@david2 30984]# ls -lah
total 0
dr-xr-xr-x 6 apache apache 0 Jan 19 02:35 .
dr-xr-xr-x 181 root root 0 Jan 16 13:20 …
dr-xr-xr-x 2 apache apache 0 Jan 19 02:40 attr
-r-------- 1 root root 0 Jan 19 15:26 auxv
-r–r--r-- 1 root root 0 Jan 19 02:35 cmdline
-rw-r–r-- 1 root root 0 Jan 19 15:26 coredump_filter
-r–r--r-- 1 root root 0 Jan 19 15:26 cpuset
lrwxrwxrwx 1 root root 0 Jan 19 15:26 cwd -> /
-r-------- 1 root root 0 Jan 19 15:26 environ
lrwxrwxrwx 1 root root 0 Jan 19 02:36 exe -> /usr/sbin/httpd
dr-x------ 2 root root 0 Jan 19 02:40 fd
dr-x------ 2 root root 0 Jan 19 15:26 fdinfo
-r–r--r-- 1 root root 0 Jan 19 15:26 io
-r–r--r-- 1 root root 0 Jan 19 15:26 limits
-rw-r–r-- 1 root root 0 Jan 19 15:26 loginuid
-r–r--r-- 1 root root 0 Jan 19 15:26 maps
-rw------- 1 root root 0 Jan 19 15:26 mem
-r–r--r-- 1 root root 0 Jan 19 15:26 mounts
-r-------- 1 root root 0 Jan 19 15:26 mountstats
-r–r--r-- 1 root root 0 Jan 19 15:26 numa_maps
-rw-r–r-- 1 root root 0 Jan 19 15:26 oom_adj
-r–r--r-- 1 root root 0 Jan 19 15:26 oom_score
lrwxrwxrwx 1 root root 0 Jan 19 15:26 root -> /
-r–r--r-- 1 root root 0 Jan 19 15:26 schedstat
-r–r--r-- 1 root root 0 Jan 19 15:26 smaps
-r–r--r-- 1 root root 0 Jan 19 02:35 stat
-r–r--r-- 1 root root 0 Jan 19 15:26 statm
-r–r--r-- 1 root root 0 Jan 19 02:35 status
dr-xr-xr-x 3 apache apache 0 Jan 19 15:26 task
-r–r--r-- 1 root root 0 Jan 19 15:26 wchan

zombie_process · January 19, 2012, 1:37pm

Sweet! For fun, you might also look at rkhunter and/or chkrootkit. Both have their quirks and kick out false positive on occasion, but I’ve found them helpful in the past.

Evanion · July 16, 2013, 6:04pm

I highly recommend ASL from atomicorp.com … $199 well spent. We have it on all our new servers.