Dark Leach Virus

This root level compromise seems to affect CentOS 5.x and < Plesk 10.4. This affects Apache directly and requires a reinstallation. Slaving the original drive to migrate the files is acceptible since it affects the OS files themselves, but clamscan is still highly recommended. To determine if a server has this compromise: Plesk [bash] fgrep -l "_INJECT_DO" /usr/lib*/httpd/modules/*.so [/bash] If there are any files in the output of this command the server is definitely root compromised and needs to be reinstalled immediately. The managed servers should detect this automatically but there is no harm in checking on any server you are investigating issues on. WHM / cPanel http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html

Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.

grep -r open_tty /usr/local/apache/

If it finds open_tty in your Apache binary, it is likely compromised, since the original Apache binary does not contain a call to open_tty. Another interesting point is that if you try to just replace the bad binary with a good one, you will be denied, because they set the file attribute to immutable. So you have to run chattr -ai before replacing it:

chattr -ai /usr/local/apache/bin/httpd

Leave a Comment