Pharmacy Alert Security Team
Removal - 1
The pharmacy hijacker breaks into public web sites by performing a dictionary attack on the root user password. Once he gets the password, he logs in and stores a proxy server routine. This routine installs one of the web sites shown in the Picture gallery. All the images for the web sites are installed on another web server which has also been hijacked. Each illicit web site therefore runs on two compromised machines: the site server proxy and the image server proxy. Finally, the name to IP address resolution is performed by a domain name server, which runs on yet a third compromised server machine.Before killing off the offending binaries, you should verify that your system is intact. In almost all cases in the past few months, the criminals behind this spam operation have gained access to servers like yours and compromised it in the following ways:
The intruder's program is not stored on disk, but runs only in the memory.
- They modify your shadow file so that it is unwritable (read only.) This stops you from being able to modify your root password, and all others.
- They remove all of the following utilities from your system:
- They modify your iptables settings to block several law enforcement and other entities from finding your server while it is compromised. (You can verify this by running the command: iptables --list INPUT)
- They install up to two compromises: tirqd (a web traffic / content proxy) and uirqd (a custom DNS server.)
For further information on what these utilities do and who is behind this attack on your server, we recommend reading the spam wiki entry at "My Canadian Pharmacy":
In the event you do run the above IPTABLES command, we recommend saving the resulting output to a text file with a timestamp in the event law enforcement or other entities need to see it.
Reset your iptables settings with the following two commands:
iptables -F INPUT
iptables -F OUTPUT
Since your server is likely similarly compromised, we recommend getting a copy of a utility called "busybox" so you can again have control over your server. It's available here: Busybox.net.
Modify your root password using busybox:
Download, unpack and grant execution rights to the busybox binary. Read the documentation. You can use that utility to modify your root password to something very secure.
Perform all of the following tasks as the root user.
> Removal Page 2