An example randomly inserted script is added below.

iframe src="http://{random domain}/{random string}/{random string}/" width="114" height="171"


The issue is almost impossible to locate, unless you are using IE8, or IE9, as in most cases, this is their intended targets.

In order to test the site, I utilised the “User Agent Switcher” located within Firefox / Chrome.

The problem came when the evasiveness of the module was found

The Module avoids detection by doing the following:

• -Rendering the iframe, and then adding the users IP to a blacklist for 15 - 30 minutes afterwards
• -Blacklisting any user which has logged into the server recently
• -Blacklisting the local user
• -Blacklisting any type of searchengine, and their IP’s.

 
A few methods of locating modules are included below

Check for unknown modules within /etc/httpd/modules

Generally, apache modules are added in the modules directory of httpd to begin with, and as you can see the two below modules are very out of place and were located with “dlEngine” strings within them.

root@ns1 [/etc/httpd/modules]# ls -lah

-rwxr-xr-x. 1 root root 43K Jul 3 2012 mod_view_version.so

Unfortunately, after removing these two modules, it wasn’t all which was required, and further investigation had to be continued with.

Output Apache Modules list

root@ns1 [/etc/httpd/conf/includes]# httpd -t -D DUMP_MODULES > /root/mods2

It’s generally good to get a configuration from a different server running a similar environment, to see what is loaded.

For example, see below

root@ns1 [/etc/httpd]# diff /root/mods1 /root/mods2

> passenger_module (shared)

Apon investigating the /etc/httpd/conf/includes, a matching include for pool_mime_module was located within /lib64

root@ns1 [/lib64]# grep pool_mime -i *

lrwxrwxrwx. 1 root root 15 Jan 15 03:47 mod_pool_mime.so -> libpcproas.so.1

 
This blog post is related to http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
 

Author: Alex Burgess