This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Mystery infestation strikes Linux/Apache Web sites

Posted by: googlingtingwana on January 25, 2008 10:58 PM
I run a small personal server that a few friends and family use; mainly for email and web hosting. When I read about this "infection" on slashdot I checked out my system based on the available information. The only symptom I found was: run tcpdump as suggested; access my server's home page; the tcpdump produced output like that expected from the infection, as follows: <script language='JavaScript' type='text/javascript' src='shfuy.js'></script>
. I searched the entire file system and there is no "shfuy.js" file, and I wasn't really expecting one. I looked for other discussed symptoms: 1) created a directory called "1" which was successful; 2) rebooted the system from a live CD and checked by /bin and /sbin directories - there were no renamed utilities such as ifconfig or route (nothing with a bunch of digits after the name); 3) there was no "bwlimited" module running within apache (output from apachectl -t -D DUMP_MODULES); 4) did wget on my server's home page from a couple of different IP addresses - no tcpdump regex matching output. This suggests to me that either I'm not compromised, or it is a different variation on the problem than others have seen.

[Modified by: googlingtingwana on January 25, 2008 04:00 PM]


Return to Mystery infestation strikes Linux/Apache Web sites