I have a big problem with my server. As I wrote it earlier, I had a high server load. I solved the problem, it was a malware. I had this problem again today and I found the file that caused the high load.
My IP was listed at http://cbl.abuseat.org/, after the cleaning I delisted it. I did it last time at 24th December and everything was fine utill today. Is there any solution to protect my server against this infection? I attached the text from abuseat.org
The infected part of the code stared with eval(base64_decode(…
IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-01-10 16:00 GMT (+/- 30 minutes), approximately 3 hours ago.
It has been relisted following a previous removal at 2011-12-24 17:12 GMT (17 days, 2 hours, 14 minutes ago)
This IP is infected with, or is NATting for a machine that is infected with, a PHP-based backdoor trojan. The most common target of this infestation is Plesk hosting environments using Qmail and Wordpress or CPanel hosting environments.
Looking at netstat and ps can show you if you have rogue processes running on your box sometimes. There are lots of online articles about redirects or spambots with base64 code in them. Basically, what I do is grep through all of the domain files on the server and look for that string, obfuscated or not.
TBH, I don’t remember why I used egrep there rather than grep - I might have been searching for more than one string at one point, but whatever. On the plus side, I’ve found this (stuck in a larger script that emails me after checking the files once a day) quite useful. On the minus side, if you run this on your live server it will drive your load way up. This works best if your files are on a filer, or if you do nightly backups (unzipped) and can search the backups rather than the live files.
If any other httpd processes look any different, it may be a good idea to switch to that process’s directory in /proc and try to examine what its really doing to see if anything is fishy.
Thank you! I’m using Linux Malware Detect now (http://www.webhostingtalk.com/wiki/Linux_Malware_Detect). I uploaded test files and the program cleaned them successfully. I set up a cron job on every five minutes to check the home directory. It can check only those files, which were edited in last 1 day, so that is very fast.
Sweet! For fun, you might also look at rkhunter and/or chkrootkit. Both have their quirks and kick out false positive on occasion, but I’ve found them helpful in the past.