How To Remove Virus/Trojan
how can I remove a Virus/Trojan from my website?
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
Remove Empty Folders And Remove From A Db
ive got a site which auto creates subdomains and installs a script automaticly and inserts details into a mysql db. i have had some issues recent so have loads (talking 100s) of folders that are empty which i need to remove, and to remove the details of said folder from db also. any ideas how i can do this, using plesk control panel so removing the subdomain via plesk cli may be the best way in that respect but the db is external to plesk so that would not be edited
View Replies!
View Related
Trojan C99Shell
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell. I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View Replies!
View Related
LKM Trojan?
I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output: # ./chkproc You have 14 process hidden for readdir command You have 14 process hidden for ps command Searching for LKM trojans shows the following output: # ./chkrootkit -x lkm EXE 9994: /usr/sbin/named CWD 9995: /var/named EXE 9995: /usr/sbin/named CWD 9996: /var/named EXE 9996: /usr/sbin/named CWD 9997: /var/named EXE 9997: /usr/sbin/named CWD 9998: /var/named EXE 9998: /usr/sbin/named CWD 26293: /var/lib/mysql EXE 26293: /usr/sbin/mysqld CWD 26294: /var/lib/mysql EXE 26294: /usr/sbin/mysqld CWD 26295: /var/lib/mysql EXE 26295: /usr/sbin/mysqld CWD 26296: /var/lib/mysql EXE 26296: /usr/sbin/mysqld CWD 26297: /var/lib/mysql EXE 26297: /usr/sbin/mysqld CWD 26298: /var/lib/mysql EXE 26298: /usr/sbin/mysqld CWD 26299: /var/lib/mysql EXE 26299: /usr/sbin/mysqld CWD 26300: /var/lib/mysql EXE 26300: /usr/sbin/mysqld When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again. Can it be a false alarm, or should i really be worried? What do you advise me to do now?
View Replies!
View Related
Trojan-Downloader.JS.Psyme.hz
I have an hosting account at OXEO.com and I have trojan problems on all my websites The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz I checked my websites on Google and Google is warning users for this kind of problems for one of my websites Does anybody here has experienced the same problem?
View Replies!
View Related
How-to - Rootkit Scan (trojan Etc)
What is a rootkit? The following link is a very good read to answer that question. http://linux.oreillynet.com/pub/a/li...4/rootkit.html In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server. Usage: 1. su - (change to root user) 2. mkdir /usr/local/chkrootkit 3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz 4. tar -xvzf chkrootkit.tar.gz 5. cd chkrootkit* 6. cp * /usr/local/chkrootkit 7. cd /usr/local/chkrootkit 8. make sense Now scan your system: 1. cd /usr/local/chkrootkit 2. ./chkrootkit chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct. Part 2 - automated chkrootkit, and emailed results. I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results. Usage: 1. vi /etc/cron.daily/chkrootkit 2. add the following code. Code: #!/bin/bash (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com) 3. chmod 0755 /etc/cron.daily/chkrootkit This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits. Removal: If you don't like getting the emails or just want to remove this from your server: 1. rm /etc/cron.daily/chkrootkit 2. rm -rf /usr/local/chkrootkit All files will now be deleted from your server.
View Replies!
View Related
15 POSSIBLE Trojan Detected WHM
i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment ) and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected How i can solve this ?? and remove this trojans .
View Replies!
View Related
PHP.Backdoor.Trojan
As usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan. I take a look file location and found current file with name xTgsj78Jn.txt Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error. When deleted it i use command rm -r with root access,then I do ls -l and found details file like below. -rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt* Please help me to delete this file. FYI this file uploaded to my hosting file site.
View Replies!
View Related
Possible Trojan List By WHM - Do I Need To Worry?
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here: Scan for Trojan Horses Appears Clean /dev/stderr Scanning for Trojan Horses..... Possible Trojan - /usr/bin/cpan Possible Trojan - /usr/bin/instmodsh Possible Trojan - /usr/bin/prove Possible Trojan - /usr/bin/xmlcatalog Possible Trojan - /usr/bin/xmllint Possible Trojan - /usr/bin/xml2-config Possible Trojan - /usr/lib/libxml2.la Possible Trojan - /usr/bin/mysqlhotcopy Possible Trojan - /usr/bin/Wand-config Possible Trojan - /usr/bin/animate Possible Trojan - /usr/bin/compare Possible Trojan - /usr/bin/composite Possible Trojan - /usr/bin/conjure Possible Trojan - /usr/bin/convert Possible Trojan - /usr/bin/display Possible Trojan - /usr/bin/identify Possible Trojan - /usr/bin/import Possible Trojan - /usr/bin/mogrify Possible Trojan - /usr/bin/montage Possible Trojan - /usr/bin/curl-config Possible Trojan - /usr/bin/curl Possible Trojan - /usr/lib/libcurl.so.3.0.0 Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so Possible Trojan - /usr/sbin/pureauth 25 POSSIBLE Trojans Detected Is there anything that looks fishy here?
View Replies!
View Related
Websites Infected With Trojan How To Solve?
i see my websites are infected with some trojan. there are some iframe tag simlilar to this in all index files <iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe> any idea how might this iframe inserted in my codes. i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus any idea how this is happened and how to avoide this?
View Replies!
View Related
Linux Virus
I'd like to know that is Linux virus free server or not? Is there any possibility to run a virus on linux server while uploading files (virus affected) from local system to server end by ftp client?
View Replies!
View Related
Trojan-Clicker.HTML.Iframe.g In My Website? What Is This??
I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried. the trojan that appears to my user is: Trojan-Clicker.HTML.Iframe.g someone know why i have this trojan? Now the users refuses to open my website!! i'm more than worried this is an printscreen of the error: ...
View Replies!
View Related
Trojan Detected On Initial Load Of Site
I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean! I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else. Anyone have any suggestions?
View Replies!
View Related
Trojan-Clicker.HTML.IFrame.amh
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost. Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot. I need a shared hosting provider which ranks higher than most in terms of security. Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses. Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE: File generated by Rogers Online Protection Anti-Virus C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:25 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:29 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:21:31 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:22:18 AM C:Documents and SettingsuserLocal SettingsTemporary Internet
View Replies!
View Related
Anti-Virus Recommendations
We have 2 servers, one running Windows 2003 Enterprise that hosts a ColdFusion app, and one running Windows 2003 Standard that hosts our SQL database that is used by the CF app. Nothing else runs on them. Does anyone have any suggestions for anti-virus products that we could use on these? I don't want one of those elaborate and expensive "suite" programs. I just need to protect the boxes. I use Kaspersky on our individual machines, and I really don't care much for Norton anymore.
View Replies!
View Related
Cpanel And Virus Protection?
Does anyone know of any virus protection software that will work with Cpanel. Actually it probably doesn't have to work with Cpanel.. but here is my situation.. I have a lot of people uploading PDF’s and Word docs to our MySQL database, for other people to download. So far I have been downloading the files to my computer first and scanning them, then approving them. it would be nice if I can automate this check some how. I'm wondering of anyone out there does this sort of thing with the dedicated servers they run. Maybe just putting virus software on the server is good enough.
View Replies!
View Related
Prevent Of Execution Trojan Shell Scripts, Like R57shell And Other?
Which configuration for php and server that prevent execute shell scripts? Which funstions you recommend to disable? Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
View Replies!
View Related
A Virus On A Linux Server :: Cdpuvbhfzz
There's supposed to be a virus on one of my server (called "cdpuvbhfzz"). Anyone has any idea on how to remove it? What software to install, what do do next. Also, is transferring an infected account on a different machine is also transferring a virus? I am on CentOS 5, using cPanel.
View Replies!
View Related
Ensuring A Virus Free Website
In the event of hosting a web program, who is responsible for the security, ie against hackers, virus and the like. Is it the hosting company or the program developer or the person running the website? Also, what is the best thing to do, with personal computers there's anti virus software, but what about the case of an entire website, do anti virus software companies have solutions for entire websites?
View Replies!
View Related
Virus Scanner For Unix Server?
I wonder which virus scanner software is useful for Unix server(Centos 4.5). One of my client install SMF forum and when visitors access the forum,their virus scanner warn that site is affected by trojan. I used Clamav to scan entire home directory but seem nothing found.
View Replies!
View Related
My Limestone Server - Virus Attacked Or What?
Alright guys - my server the past two weeks is just freaking ridiculous. It's a Core2Quad Q9300 2.5ghz server with 8gb of ram. It should be fast as hell. I can't move 20 e-mails in my mail client without the server grinding to a complete halt and httpd and mysql going unresponsive. Right now I'm just trying to copy a damned screen shot of the task manager performance tab and it's taking about 3 minutes to paste it - even though the CPU utilization is averaging only 20% at the moment and memory is only 2.5gb. I restarted WAMP and now it seems to be running smoother. My Outpost firewall, though, didn't show too many connections to the server that it was maxing out. Here's my ping responses just now while I was typing this - I was watching the firewall connections and I was only having like 60 connections to httpd, 20 connections to mysql, 5-10 to my SmarterTools mail server, and then my remote desktop connection. My network utilization got up to a whole 5% - so it's not that I have too many connections or something. Here's the ping responses: C:Documents and SettingsBrian>ping mifbody.com -n 99 Pinging mifbody.com [216.245.195.146] with 32 bytes of data: Reply from 216.245.195.146: bytes=32 time=70ms TTL=115 Reply from 216.245.195.146: bytes=32 time=73ms TTL=115 Reply from 216.245.195.146: bytes=32 time=81ms TTL=115 Reply from 216.245.195.146: bytes=32 time=78ms TTL=115 Reply from 216.245.195.146: bytes=32 time=71ms TTL=115 ....
View Replies!
View Related
Frequent Virus Attacking In IXWebhosting ?
i have 2 blogs with ixwebhosting.com from 1 1/2 years. from 10 days my blogs are getting attack frequently. every time i am cleaning and reporting to them. they are also clean it. but it is attacking again. They said my system has virus. (but i have latest bitdifender 2010 total security,probably the best antivirus) i also have account with 3 more hosts with many sites. everything works fine. i am asking them why only this account getting affected if i have virus in my system.i already moved one site to another host where it is working fine now. Except this problem they are very good. So i can't left them. if any one has experience this kind of problems, please suggest me what to do?
View Replies!
View Related
Website Hit With Tejary.net Virus
I've been trying to scour the internet trying to find out more information about this worm, but all I find are millions of sites that are infected with it. If anyone has any information on this virus h**p://tejary.net/h.js it looks like it has overwrited everything in the database - ..most of everything - seems like a type of sql injection script.
View Replies!
View Related
Postinfo.html Web Server Virus
I am new here. I have a leased web server and I am getting new pages called "postinfo.html" on every domain along with some javascript code (virus) attached at the end of every webpage on every domain. Does anyone know about this or how to get rid of it and prevent it? I have a sneaky suspicion that it is from a phpbb forum.
View Replies!
View Related
HTML Frammer Virus Attack On Website
I'm a web hosting reseller. I'm now running on a server, purchased from Hosterio (previously I used WebHostingBuzz). From last few months I'm facing massive virus attack on my server. There are 3-4 Joomla based websites hosted on the server. Most of them (including some non-joomla sites) are getting attacked by HTML frammer and similar viruses. In most of the cases, symptoms are, injection of hidden iframes either at the start or at the end of body tags. I kindly request the experts here to suggest me the optimum solution. What security measures should I take immediately? What are the recommended file permission and settings that can be set as a WHM account owner? What should I recommend to my clients? Please suggest. My server specs are: Linux Server, WHM-Reseller Hosting Account, Apache Web Server Running on Dedicated IP. PS: If you can suggest a tool to quickly manage file permissions (because FTP clients are taking lot of time to modify permissions of Joomla site, where number of files are more than 2000-3000) on my server, I'll be more grateful.
View Replies!
View Related
Windows 2003 Server Virus Worm
I have ClamWin on the server and it says the following after a 7 hour scan. I notice there is an option to remove files but not sure if i should. C:WINDOWSjavaclassesjavavm.exe: Worm.Mytob.FN FOUND C:WINDOWSsystem32TskMan.exe: Trojan.Servu.1 FOUND C:WINDOWSsystem32wmc.exe: Trojan.RAdmin-2 FOUND I have also ran the Microsoft Windows Malicious Software which says it has removed them, restart, and they are back.
View Replies!
View Related
/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND
What is the mining of following lines in temp folder. If i have been check daily /tmp folder many /tmp/clamav are presented in mail server, and occupied the large amount of space in temp folder /tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND /tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND /tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND /tmp/malware.zip: Infected.Archive FOUND
View Replies!
View Related
Xenvz Stop My 2 VPSs, Because I Spread Conficker Virus?
Last month I order 2 Xen VPSs from Xenvz.co.uk and use them for VPN proxy. But a few days ago, xenvz stopped one vps and state "This is because it is spreading the Conficker virus.". I'm a little surprise because there's only 10+ users on this vps. Most of them use VPN for visting Youtube or P2P download or gaming. And Conficker virus can only run on Windows, but all my vps is running on Debian. Maybe someone had download something that contain Conficker virus? Anyway, I had to move a few users to another vps yesterday. But xenvz stop my another vps today for the same reason! I really do not know whether or not one of my user is spreading or other reason, but as I know, Conficker virus had affected thousands of hosts in the past. If someone download or being affect by conficker for any reason, provider then stop their host, I'm afraid thousands of sites would down.
View Replies!
View Related
Trojan Activity - Running Perl With High CPU Usage, With User Apache
Running programs named Perl with Heavy CPU usage, with the ownership of user apache. We found the problem on Fedora 3 and Fedora 6. In our case, it was the result of a Trojan activity. Quick Solution Check the cron jobs of user apache crontab -u apache -e */1 * * * * perl /tmp/.tmp/tmpfile delete the cronjob entry. Also delete the file /tmp/.tmp/tmpfile also added "apache" to the file /etc/cron.deny That's all Problem and solution in detail....
View Replies!
View Related
Freebsd + Script Adding Virus To Htm/html Files
my friends server has something running that i couldn't find in cron or through access logs.. it is running comus and arrowtrader.. they're porn trading scripts.. anyway. it's basically executing something at unknown times which i just started logging cause i temporarily moved "find" to /root and made /usr/bin/find echo me the output.. so it's running these: --- find /etc find /var find /usr/local find find ./ find ../ find ../../ --- i can't find what is causing this.. i've disabled comus and arrowtrader but they still run, i can't find anything else running in the background that is causing this.. what i'd really like to know is how to make a wrapper for perl to log all commands.. or some kind of exec logging for freebsd, i've looked for a way to also log all commands run by PHP too but i can never find something like that. i've scanned the server, found the r57/rst type backdoors, removed... nothing is listening on a port, i just can't seem to find it, i've enabled accounting and see that find runs, grep runs too.. but can't see what is causing it..
View Replies!
View Related
|
TRACKER
