http being hijacked

This is not cPanel specific, but more of a general security question. So last year I dealt with a server that had been rooted and the attacker was modifying the http output before it was delivered to the end-user to inject malicious code. They were using this to do multiple items such as redirect to adult sites, display popup ads, and display inline ads on my clients site. And just to confirm, because I know someone will bring this up, but it was not being injected into the actual files in the hosting account. It was being done on the httpd server level. We believe they modified some binaries, but we weren't able to track it down completely....just had to move the client to a fresh clean server. It was very sophisticated, down to the point where they weren't serving up the malicious code to everyone...only about 25% of the traffic. They also logged administrator IP's and never gave malicious content to them either. Now we have another client who is complaining about this (on a smaller scale) happening to them. It started me wondering if there is a way that I could view/log the html right before it is sent out to the end user to monitor for any malicious content being injected. I've tried to use tcpdump a bit, but it gives the encrypted/binary information as well. I'd love to see if I can log the html being given directly to the user. Anyone have any ideas if this is possible? Or Any other ideas on how to find out if malicious content is being served by our websites (McAfee and other external web scanners come back negative....but that could be because their scanning IP's have been logged, or they aren't included in that 25% when the scan happens).

quizknows

January 26, 2015 23:32

ModSecurity, or Mod DumpIO can be used to log egress http traffic, but I'm unsure if the infection would break that. See [url=http://blogs.cisco.com/security/linuxcdorked-faqs]Linux/CDorked FAQs or [url=http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/]Linux/Cdorked.A - A new Apache backdoor is being used in the wild to serve Blackhole

noimad1

January 26, 2015 23:57

Thanks for the info, I'll look at mod DumpIO to see what that does. I had already tested for the CDorked on this server, but the memory came back clean, and there doesn't seem to be any trace of it. Not to say that it isn't a variation of it?

January 27, 2015 01:16

I've heard there's a new variation on it but I haven't had time to investigate it. DumpIO is pretty nice, though your logs will be absolutely massive. Obviously only use it for debugging.

cPanelMichael

January 27, 2015 14:46

Hello :) For reference, there is a similar thread here (user mentions only 25% of traffic redirected): Questions about hacked server Thank you.

January 27, 2015 18:35

Yea, that was the first server that was compromised. We moved that client to a new server. Right now I'm just trying to confirm if this server is for sure compromised. Do you think something like snort would pick up this malicious code being added to the sites?

January 27, 2015 19:01

Snort could probably do it if you can get any data to make a signature from. Maybe the emerging threats rules could pick it up.

http being hijacked

Comments

Didn't find what you were looking for?