It was expected, actually…
But – from the beginning.
Iframe with malicious code was injected in multiple pages of Apache server dynamically.
Standard cleanup was not helpful at all, multiple co-located hosts were infected the same way.
Any website, moved to new server, became clean << When I saw this, it became obvious, that compromise is part of web-server itself, not per site.
So – I made a little research, and found new product on black market, that You may be interested in
Meet: DarkLeech – mod for Apache2 for automatic invert of iframes in server responses.
Webserver: Apache2 server,
Operating system: Linux, BSD,
Access Level: root
Installation instructions: Place mod in any folder, edit Apache config file to add 1 string and restart server.
- insert frames in php, html,js on the fly
- frame delivered to unique users only, no frame on repeat. << known anti-forensics. Interesting, how this implemented here, external logs or based on Apache2?
- possibility framing of traffic, that came from search engines only << looks like again Referer field?
- different modes of framing – low, standard, aggressive
- update of malicious frame from external URL
- Admins of webserver, that have ssh access to it, excluded from frame delivery. System also able to detect Admin’s IP by URL of administrative access and ban Admin IP from framing procedure.
- When root or any user in sudo group login into server, module transfer to “quiet mode”, and only when IP of the admin banned or filtered out, server proceed with infecting visitors.
- users filtered out by origin, OS version, local IP requests etc. << this is based on User-Agent, as far as I understand.
- When module detect any suspicious process in memory(tcpdump, rkhunter etc), it stop the activity
- option to encryption of framing.
As seller claim, module was used in private for 2 last years, now available for sell. Current version is 14.0
Major reason to going public – reticently researchers came close to find it out. So there is no reason to stay private.
Mode written in C and PHP
So, guys, here is all info I have for now.:)
In case Your server host contain multiple infected pages, don’t forget to check Apache2 config files for unknown modules upload.
In case You already found malicious module – You have been root-ed, and the best solution is to transfer web-server data to other server (check it for hidden backdoors!) and erase the infected server.
Cheers and stay safe