Mystery infestation strikes Linux/Apache Web sites

> "According to cPanel, if you are unable to create a directory name beginning with a numeral – as in mkdir 1 -- you're infected. Another test is to monitor the packets from the server with the following tcpdump command:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]{5}.js'"

One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."


6 Replies

scary stuff. time to go back to work on my firewall script, heh.

I can't help but think that successful SSH brute-force password attacks are at least part of the problem. My systems get hammered with bruteforcers daily (never mind that I disable passwords in favor of keys for SSH access).

Yet another compelling reason to disable root logins via SSH. :)

Or just rate-limit incoming connections to your SSH server. I've seen excellent results with this:

# rate limit incomig port 22 connections
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

That will limit the number of connections coming from one IP to two per minute. Anything more and it gets blocked. If they keep on hitting it, it stays blocked. Best of all, access from your own IP is not affected.


- get fail2ban to take care of any future bruteforce attacks

  • get fwbuilder to manage your IP tables with ease

  • make sure you dont run your apache as root

  • read milion other tips on google about securing your apache webserver


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct