Apache hacked on Pollux


#1

I have been getting sites blacklisted on google malware checker, but when I run deep scans and manual checks of those sites I see no evidence of and malicious code. I had a third party check one of the websites and they stated that there was a hidden iframe that had the malware. This iframe is not in any of my pages, it looks like it is getting added at the web server level.

All of the sites effected are on Pollux, it seems that a malicious apache module is the most likely culprit for this attack.

http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

Anyone else having this issue?


#2

I’ve spot-checked at least one of the sites you mentioned, and was able to spot at least one potential avenue of infection (a backdoor script called “upd.php” under the wp-admin directory). It’s highly unlikely that a server-level exploit is involved here; it’s far more likely that an exploit on one or more of your sites was able to infect other sites hosted under the same user.


#3

which site did you spot check?
[hr]

That file is one I must have missed from whne the site was hacked, back in march. We cleaned it, i must have missed that one. I should not be accessible.

This is a new incident, started happening two days ago. Nothing on my pages looks out of place, there is an iframe pushing a redirect JS, and its not coming from inside my site.
[hr]
Looking at that file, it was a remnant of the TimThumb Wordpress hack. That was a clumsy attack that left malformed html all over the place. It was easy to find and remove. We missed one file but it had been rendered inaccessible. This is a lot more sophisticated, it only injects intermittently, and it seems to exclude some IP addresses from being attacked.


#4

The site I was looking at was the one you specifically mentioned in your support ticket. I was refraining from mentioning the name publicly to keep the exact vulnerability under wraps.

Your issue has been forwarded to our security team, and they should be running their security scanner on your site shortly. They should be able to provide you with than I was able to uncover in my brief check.