Burn the box, re-install an OS fresh from verified source, install the
apache and PHP from known source and then bring back the source for
the web site after verifying it by hand. This is a known trojan, and
it is in memory, but it's initialised from the server drive somewhere.
Gary B
Jeff Plewes wrote:
> We have a similar problem on one of our co-location servers:
>
> - centos5 i386
> - apache 2.2.3-11.el5.centos (2.2.6 backport)
> - php 5.2.5 (compiled from source)
>
> The issue appears at random.. when it is present, a request to the
> web server will respond with a redirect to a spyware or malware
> download site. This will continue to redirect 10% of the traffic to
> the box until httpd is restarted. The redirection script is not found
> in any file on the server filesystem and believed to be injected into
> the response stream via a compromised httpd process in memory.
>
> This issue was happening on the same box when It used to be apache
> 2.0.56, php 5.1.0 running redhat 9. upgrading the distribution,
> apache, php etc has so far not resolved the issue.
>
> At this point we are upgrading to apache 2.2.3-11.el5.centos.3 (2.2.8
> backport) in hopes that the recent security patches in this build
> relating to XSS will solve the issue.
>
> I would really like to find the source of the problem, though.
>
> -Jeff
>
>
> On 22 Jan 2008 00:55:30 -0000, <ponchovaldes (at) gmail (dot) com [email concealed]> wrote:
>> Hello guys, we have a social network that is getting stronger, but we
are having an issue.
>>
>>
>> And the issue is that Sometimes... our page redirects to another
Portal, actually the page that redirects is our first competition,here
in Latino America, i know that they are causing that kind of mess.. so
we thought in this.
>>
>>
>> - We know that our DNS server is ok, and havent been compromised,
>>
>> - DNS cache poisoning
>>
>> - Malware ?
>>
>> - some kind of virus that the guys(bad) made. ( the other portal -
social network-)
>>
>>
>> - Other soolution? sue them?
>>
>>
>> HElp guys.. this thing is taking out alot of users :(
>>
>>
>> thanks in advance!
>>
>>
>> Cheers from México
>>
>
>
apache and PHP from known source and then bring back the source for
the web site after verifying it by hand. This is a known trojan, and
it is in memory, but it's initialised from the server drive somewhere.
Gary B
Jeff Plewes wrote:
> We have a similar problem on one of our co-location servers:
>
> - centos5 i386
> - apache 2.2.3-11.el5.centos (2.2.6 backport)
> - php 5.2.5 (compiled from source)
>
> The issue appears at random.. when it is present, a request to the
> web server will respond with a redirect to a spyware or malware
> download site. This will continue to redirect 10% of the traffic to
> the box until httpd is restarted. The redirection script is not found
> in any file on the server filesystem and believed to be injected into
> the response stream via a compromised httpd process in memory.
>
> This issue was happening on the same box when It used to be apache
> 2.0.56, php 5.1.0 running redhat 9. upgrading the distribution,
> apache, php etc has so far not resolved the issue.
>
> At this point we are upgrading to apache 2.2.3-11.el5.centos.3 (2.2.8
> backport) in hopes that the recent security patches in this build
> relating to XSS will solve the issue.
>
> I would really like to find the source of the problem, though.
>
> -Jeff
>
>
> On 22 Jan 2008 00:55:30 -0000, <ponchovaldes (at) gmail (dot) com [email concealed]> wrote:
>> Hello guys, we have a social network that is getting stronger, but we
are having an issue.
>>
>>
>> And the issue is that Sometimes... our page redirects to another
Portal, actually the page that redirects is our first competition,here
in Latino America, i know that they are causing that kind of mess.. so
we thought in this.
>>
>>
>> - We know that our DNS server is ok, and havent been compromised,
>>
>> - DNS cache poisoning
>>
>> - Malware ?
>>
>> - some kind of virus that the guys(bad) made. ( the other portal -
social network-)
>>
>>
>> - Other soolution? sue them?
>>
>>
>> HElp guys.. this thing is taking out alot of users :(
>>
>>
>> thanks in advance!
>>
>>
>> Cheers from México
>>
>
>
[ reply ]