What kind of errors on your getting with the perl script? I haven’t tested it on Centos5 but I can try and help you debug it.

I have seen where the child processes will re-activate after a re-boot. Like mentioned above, sometimes the code will be in a legitimate file so as soon as that .php file is called, either by a browser or as an included file, it will fire off the child process and re-activate.

If you have root access to the server, you can scan all .php files for eval(base64_decode and examine those files. If it’s a shared server you’re scanning, the website you find those files on, is probably the one that infected the server. I would suggest contacting the website owner and making them aware of the infection so they can scan all their PCs for viruses that may compromised their FTP credentials.

Admin is right. He has hit the nail right on the head. I spent 6 days chasing this problem down myself and found the problem was initiated by PHP scripts that were taking over apache children and serving malicious redirect requests.

I made a write-up about this with all the gory details, including a couple of different detection methods.

http://smaert.com/apache_mischief/writeup.txt

Hope it helps.
-an isp admin

You probably won’t see any suspicious process or even a modified binary, what we’ve found is that there is an infectious .php file that contains some base64 code. The code is the binary (ELF) that takes advantage of an Apache APR bug of some sort. Whenever the .php file is POSTed to with the correct parameters, the infection is live for some period of time. There is no binary to find because it’s obfuscated in the base64 code.

If you have access to the root of the server, you can search all websites for a .php file with base64_decode in it as a start. However, we’ve been seeing where the .php file has hidden the base64_decode like this:

?php $PyIqJDl=’#####e##############################v###a####l(b########a####s###e###########6##4##########_##d###eco###d####e#######(#\’ZXJ

Then there’s a piece of code at the end that looks like this:

$PyIqJDl=str_replace(‘#’, ”, $PyIqJDl);

Which removes all of the #’s and reveals the eval(base64_decode(… string.

Do you have root access to this server? If so, please let me know as I would like to gather as much information as possible and let the world know, what to look for.

Have you seen any POST requests in the access.log? It might look like this:

2xx.2xx.2xx.14 – - [30/Sep/2009:18:24:51 +0100] “POST /test/php/test.php HTTP/1.1″ 200 281 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
7x.x2.1xx.1xx – - [30/Sep/2009:18:24:52 +0100] “POST /test/php/test.php HTTP/1.1″ 200 8976 “http://www.google.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”

Let me know…

I also found a server with this new “n_sess_id” infection. I couldn’t find any suspicious process or even modified binary (of course, this check is not 100% correct on a running server). The interesting thing is the apache sometimes gives this infected content instead of a static page even! So, there is no PHP or anything else is used…

Do you have access to any servers that have been hit by this?

The scripts sets a cookie called “n_sess_id” and redirects to a page called “best[minus]virus[minus]scanner5[dot]com”. Maybe a new round?