« | Home | »

Keygenguru malware injection on server

By Robin | oktober 29, 2009

Some days ago one of our webservers started showing now and then by visiting a website a blank page of a popup, it only show in the source some javascript… After days we scanned the whole system:

#grep -H “eval(base64_decode” /var/www/vhosts/* -R | cut -d: -f1 > /tmp/results_scan

Topics: Linux | 5 Comments »

5 Responses to “Keygenguru malware injection on server”

  1. Bonus Says:
    november 8th, 2009 at 22:22

    Did you fix it? We have same problem too…

  2. Robin Says:
    november 9th, 2009 at 07:42

    yes we have fixed the problem.

  3. Tristan Says:
    november 15th, 2009 at 21:59

    Any idea on what attack vector it uses to infect sites?

  4. Robin Says:
    november 16th, 2009 at 08:38

    it uses a galleryscript most of the time to upload an image (jpg, gif, …). After that they use that to execute a script in place of showing the image, because the file they uploaded is not an image but a script, this script will do some nasty things and make the popups and blanc pages!

  5. smaert Says:
    november 18th, 2009 at 18:57


    This looks like the same issue that I spent many days trying to fix.

    I’ve traced this to a vulnerability with php and inherited file descriptors being used to ‘take over’ apache children and serve malicious redirects.

    I written much on this subject, including how to find the source of the problem, how to test if your webserver is vulnerable, and many details surrounding this clever attack.

    Please read: