i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )
and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected
How i can solve this ?? and remove this trojans .
I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!
I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.
Anyone have any suggestions?
I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output:
# ./chkproc
You have 14 process hidden for readdir command
You have 14 process hidden for ps command
Searching for LKM trojans shows the following output:
# ./chkrootkit -x lkm
EXE 9994: /usr/sbin/named
CWD 9995: /var/named
EXE 9995: /usr/sbin/named
CWD 9996: /var/named
EXE 9996: /usr/sbin/named
CWD 9997: /var/named
EXE 9997: /usr/sbin/named
CWD 9998: /var/named
EXE 9998: /usr/sbin/named
CWD 26293: /var/lib/mysql
EXE 26293: /usr/sbin/mysqld
CWD 26294: /var/lib/mysql
EXE 26294: /usr/sbin/mysqld
CWD 26295: /var/lib/mysql
EXE 26295: /usr/sbin/mysqld
CWD 26296: /var/lib/mysql
EXE 26296: /usr/sbin/mysqld
CWD 26297: /var/lib/mysql
EXE 26297: /usr/sbin/mysqld
CWD 26298: /var/lib/mysql
EXE 26298: /usr/sbin/mysqld
CWD 26299: /var/lib/mysql
EXE 26299: /usr/sbin/mysqld
CWD 26300: /var/lib/mysql
EXE 26300: /usr/sbin/mysqld
When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again.
Can it be a false alarm, or should i really be worried? What do you advise me to do now?
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
We have a client claming that she gets a Trojan warming when she trys to access her website but using the Trojan scan in cpanel doesn't show anything.
What can we use to scan for Trojan?
I just ran a scan for trojan horses in WHM and it came up with "687 POSSIBLE Trojans". WTH? Are these real trojan horses? If so, how do I remove them?
View 2 Replies View RelatedAs usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan.
I take a look file location and found current file with name xTgsj78Jn.txt
Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error.
When deleted it i use command rm -r with root access,then I do ls -l and found details file like below.
-rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt*
Please help me to delete this file.
FYI this file uploaded to my hosting file site.
We recently setup a server with 4 gigs of RAM and installed Fedora core 7 32-bit version in it. After installing the OS, I have found that Fedora is able to detect only 2 GB and not 4 GB of RAM. I installed the kernel-PAE and kernel-PAE-devel modules and restart the server and made sure that the the OS with the PAE switch starts at boot time. However, the OS still does not detect the 4 GB RAM. Any idea what else can be done apart from installing the 64-bit OS in the system?
View 14 Replies View Relatedmy whm Trojan scanner found 23 possible Trojans.
how can i clean my server?
I have an hosting account at OXEO.com and I have trojan problems on all my websites
The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz
I checked my websites on Google and Google is warning users for this kind of problems for one of my websites
Does anybody here has experienced the same problem?
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected
Is there anything that looks fishy here?
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
how can I remove a Virus/Trojan from my website?
View 6 Replies View RelatedJust installed fresh centos 5 / cpanel and now I get this:
No filesystems with quota detected.
[root@server scripts]# quotacheck -avugm
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
Code:
[root@server scripts]# /scripts/initquotas
Quotas are now on
Updating Quota Files......
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
....Done
How do I fix this?
Code:
LABEL=/1 / ext3 defaults,usrquota 1 1
LABEL=/boot1 /boot ext3 defaults 1 2
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
LABEL=SWAP-sda2 swap swap defaults 0 0
I am using Windows 2003 Enterprise Edition SP1 and i have recently set the computer up to 4GB RAM. I notice a problem occur error :
When I start the computer, Bios detected all 4GB Ram. However, i have checked Total physical memory in General (My Computer-> Properties) doesnot detect all 4GB Ram. it only detect 3GB Ram.
I have checked that this OS support up to 32GB . Why it doesn't detect all 4GB ?
What happen to it?
Mainboard : Intel chipset 915GL
I did following the instruction in internet (exactly is Microsoft) is /PAE in boot.ini file. But, it doesnt work.
i see my websites are infected with some trojan.
there are some iframe tag simlilar to this in all index files
<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.
i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?
can any body help me with the Trojan-Downloader.JS.Psyme.hz remover?
i can't find an remover for linux server for this trojan.
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.
Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.
I need a shared hosting provider which ranks higher than most in terms of security.
Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.
Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:
File generated by Rogers Online Protection Anti-Virus
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:25 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:29 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:21:31 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:22:18 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
I got email notice about this:
Quote:
The following warning/error was logged by the smartd daemon:
Device: /dev/sdb, 1 Currently unreadable (pending) sectors
For details see host's SYSLOG (default: /var/log/messages).
Quote:
The following warning/error was logged by the smartd daemon:
Device: /dev/sdb, 1 Offline uncorrectable sectors
For details see host's SYSLOG (default: /var/log/messages).
It causes server crash and down.
I'm just working with my first dedicated server and also in the process of coding a new site. Anyway, I've gotten around to emailing users from scripts on my site (Java Servlet). Using Sendmail as the server (with default config) the emails are detected as spam by pretty much everything.
I'm looking for a complete list of things which need to be done to ensure an email isn't detected incorrectly as spam. I've read through various sites etc but haven't found a definitive list of things which should be done. I'm sure this would be helpful for other forum visitors too.
I'm NOT trying to send spam or anything like that but I haven't set up a dedicated server before.
I am using Merak Mail server 8.0.3 (Windows). From past 2 - 3 days many of my users are complaining their genuine mails are going to spam. The value set for antispam is 5 i.e. if antispam value is above it is detected as spam else not spam.
But from past few days which ever genuine mail is detected as spam I have found an very uncommon thing in it. It shows '10.4 FH_HAS_X Has X: header'
The SpamAssassin table shows the following information:
Content analysis details: (16.34 points, 5.00 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 HTML_MESSAGE HTML included in message
0.1 HTML_TAG_EXISTS_TBODY HTML has "tbody" tag
2.2 DEAR_SOMETHING Contains 'Dear (something)'
2.4 BAYES_80 Bayesian spam probability is 80 to 90%
0.0 NO_RDNS2 Sending MTA has no reverse DNS
10.4 FH_HAS_X Has X: header
1.1 SARE_HEAD_MIME_INVALID SARE_HEAD_MIME_INVALID Invalid mime version
0.1 SARE_HEAD_HDR_XMS SARE_HEAD_HDR_XMS Message headers used whic
in one of my CentOS 64bit, there is errors with NICs
NETDEV WATCHDOG: eth0: transmit timed out
e1000: eth0: e1000_watchdog_task: NIC Link is Up 100 Mbps Full Duplex
e1000: eth0: e1000_watchdog_task: 10/100 speed: disabling TSO
e1000: eth0: e1000_clean_tx_irq: Detected Tx Unit Hang
Tx Queue <0>
TDH <59>
TDT <5c>
next_to_use <5c>
next_to_clean <58>
buffer_info[next_to_clean]
time_stamp <1241628eb>
next_to_watch <59>
jiffies <124162eba>
next_to_watch.status <0>
e1000: eth0: e1000_clean_tx_irq: Detected Tx Unit Hang
Tx Queue <0>
TDH <59>
TDT <5c>
next_to_use <5c>
next_to_clean <58>
buffer_info[next_to_clean]
time_stamp <1241628eb>
next_to_watch <59>
jiffies <12416368a>
next_to_watch.status <0>
Is there any idea for fixing? It's SM PDSMI+ board. Kernel 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:14:47 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried.
the trojan that appears to my user is:
Trojan-Clicker.HTML.Iframe.g
someone know why i have this trojan?
Now the users refuses to open my website!! i'm more than worried
this is an printscreen of the error: ...
tell me about leaseweb for Webhosting Service not Detected servers?
And i want ask if they allowed Warez linking?
I installed 2 SATA raptors drives on my server. I formatted/partitioned one of the drives through WHM. After rebooting both drives disappeared. They are still detected within the BIOS but not in CentOS. It is possible that I installed a wrong driver or made a bad configuration change.
Server Info:
CentOS 4.6 64bit
cPanel/WHM
Motherboard: [url]OS is running on a 250GB IDE drive
2 SATA WD Raptors (That I am trying to get to work)
I always recieve this email: from lfd
Time: Tue Apr 29 03:40:13 2008
Possible detection of "Random JS Toolkit"
Failed to create test directory /etc/csf/1: No space left on device:
See [url] for more information
I do this to test if my server is infected:
mkdir /home/1
it created without any problems
and I used tcpdump and I got this:
<script type="text/javascript" src='jscripts/ips_ipsclass.js'></script>
<script type="text/javascript" src='jscripts/ipb_global.js'></script>
<script type="text/javascript" src='cache/lang_cache/en/lang_javascript.js'></script>
<script type="text/javascript" src='jscripts/ips_xmlhttprequest.js'></script>
<script type="text/javascript" src='jscripts/ipb_global_xmlenhanced.js'></script>
is that mean the server is infected? but these scripts are for the IPB forum board so why I still recieve this email?
Behind a pfsense box we have a computer who act as a forward proxy with apache. At the end we have the family computer.This is the problem: i can't hide the forward proxy on internet, the forward proxy is reported "detected".
View 2 Replies View RelatedWhich configuration for php and server that prevent execute shell scripts?
Which funstions you recommend to disable?
Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
What is the mining of following lines in temp folder. If i have been check daily /tmp folder
many /tmp/clamav are presented in mail server, and occupied the large amount of space in temp folder
/tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND
/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND
/tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND
/tmp/malware.zip: Infected.Archive FOUND