Possible Trojan List By WHM - Do I Need To Worry?
Nov 8, 2007
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected
Is there anything that looks fishy here?
View 3 Replies
ADVERTISEMENT
Apr 19, 2009
when i use Hostname / Reverse IP Lookup and test it with my VPS ip. it show my main server name .
i am so worry about it and want to hide my main server name and other
View 12 Replies
View Related
Feb 19, 2008
We would like to offer root servers to customers, but we worry that they change the IP address to another IP address in our network and make troubles like this. I think, if a customer takes the same IP like our gateway router, our whole network is not reachable anymore. How can I avoid this?
View 10 Replies
View Related
Mar 12, 2008
Got this error on rkhunter 1.3.2
Quote:
[12:16:24] /usr/bin/wget [ Warning ]
[12:16:24] Warning: File '/usr/bin/wget' has the immutable-bit set.
Is that a concern? What does it mean?
View 5 Replies
View Related
Aug 20, 2007
I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output:
# ./chkproc
You have 14 process hidden for readdir command
You have 14 process hidden for ps command
Searching for LKM trojans shows the following output:
# ./chkrootkit -x lkm
EXE 9994: /usr/sbin/named
CWD 9995: /var/named
EXE 9995: /usr/sbin/named
CWD 9996: /var/named
EXE 9996: /usr/sbin/named
CWD 9997: /var/named
EXE 9997: /usr/sbin/named
CWD 9998: /var/named
EXE 9998: /usr/sbin/named
CWD 26293: /var/lib/mysql
EXE 26293: /usr/sbin/mysqld
CWD 26294: /var/lib/mysql
EXE 26294: /usr/sbin/mysqld
CWD 26295: /var/lib/mysql
EXE 26295: /usr/sbin/mysqld
CWD 26296: /var/lib/mysql
EXE 26296: /usr/sbin/mysqld
CWD 26297: /var/lib/mysql
EXE 26297: /usr/sbin/mysqld
CWD 26298: /var/lib/mysql
EXE 26298: /usr/sbin/mysqld
CWD 26299: /var/lib/mysql
EXE 26299: /usr/sbin/mysqld
CWD 26300: /var/lib/mysql
EXE 26300: /usr/sbin/mysqld
When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again.
Can it be a false alarm, or should i really be worried? What do you advise me to do now?
View 9 Replies
View Related
Jul 1, 2009
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View 14 Replies
View Related
Jun 2, 2009
We have a client claming that she gets a Trojan warming when she trys to access her website but using the Trojan scan in cpanel doesn't show anything.
What can we use to scan for Trojan?
View 5 Replies
View Related
Aug 3, 2007
i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )
and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected
How i can solve this ?? and remove this trojans .
View 14 Replies
View Related
Mar 21, 2008
I just ran a scan for trojan horses in WHM and it came up with "687 POSSIBLE Trojans". WTH? Are these real trojan horses? If so, how do I remove them?
View 2 Replies
View Related
Apr 29, 2008
As usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan.
I take a look file location and found current file with name xTgsj78Jn.txt
Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error.
When deleted it i use command rm -r with root access,then I do ls -l and found details file like below.
-rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt*
Please help me to delete this file.
FYI this file uploaded to my hosting file site.
View 14 Replies
View Related
Aug 7, 2007
my whm Trojan scanner found 23 possible Trojans.
how can i clean my server?
View 9 Replies
View Related
Aug 12, 2007
I have an hosting account at OXEO.com and I have trojan problems on all my websites
The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz
I checked my websites on Google and Google is warning users for this kind of problems for one of my websites
Does anybody here has experienced the same problem?
View 1 Replies
View Related
Jan 21, 2004
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
View 14 Replies
View Related
Dec 7, 2008
how can I remove a Virus/Trojan from my website?
View 6 Replies
View Related
Nov 16, 2008
i see my websites are infected with some trojan.
there are some iframe tag simlilar to this in all index files
<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.
i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?
View 9 Replies
View Related
Aug 3, 2007
can any body help me with the Trojan-Downloader.JS.Psyme.hz remover?
i can't find an remover for linux server for this trojan.
View 4 Replies
View Related
Nov 6, 2009
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.
Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.
I need a shared hosting provider which ranks higher than most in terms of security.
Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.
Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:
File generated by Rogers Online Protection Anti-Virus
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:25 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:29 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:21:31 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:22:18 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
View 7 Replies
View Related
Sep 4, 2007
I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried.
the trojan that appears to my user is:
Trojan-Clicker.HTML.Iframe.g
someone know why i have this trojan?
Now the users refuses to open my website!! i'm more than worried
this is an printscreen of the error: ...
View 14 Replies
View Related
Jan 8, 2008
I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!
I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.
Anyone have any suggestions?
View 14 Replies
View Related
Oct 27, 2006
Which configuration for php and server that prevent execute shell scripts?
Which funstions you recommend to disable?
Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
View 14 Replies
View Related
Jun 11, 2007
What is the mining of following lines in temp folder. If i have been check daily /tmp folder
many /tmp/clamav are presented in mail server, and occupied the large amount of space in temp folder
/tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND
/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND
/tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND
/tmp/malware.zip: Infected.Archive FOUND
View 1 Replies
View Related
Sep 5, 2007
Running programs named Perl with Heavy CPU usage, with the ownership of user apache.
We found the problem on Fedora 3 and Fedora 6.
In our case, it was the result of a Trojan activity.
Quick Solution
Check the cron jobs of user apache
crontab -u apache -e
*/1 * * * * perl /tmp/.tmp/tmpfile
delete the cronjob entry.
Also delete the file /tmp/.tmp/tmpfile
also added "apache" to the file /etc/cron.deny
That's all
Problem and solution in detail....
View 1 Replies
View Related
Jun 6, 2009
You buy an anti virus for your computer , you run it it checks and get rid of Trojans and worms
OK fine
what about a dedicated server or vps?
how do you do that? what product people use to run and anti virus and get rid of all those worms and Trojans?
View 4 Replies
View Related
Sep 25, 2008
one of my client have an in-house subscriber list with 30000 email build with their offline promotional campaign. They need to send 4 to 5 email in a month and the list might expand to 60000 in a year.
they are using a mailing program to schedule the mailing at 250 email per hour as according to the limit of their ISP and they are looking for a better solution.
i want to suggest them taking a VPS but i'm new to VPS so i'm here to looking for suggestion that i can recommend to my client.
View 6 Replies
View Related
May 18, 2009
Does anyone know why companies like Level3/Yipes/Abovenet/Global Crossing don't make their on-net building list available readily? Cogent/Zayo/etc have it listed right on their website....Zayo even gives you this downloadable KMZ file for Google Earth.
I'm working with a few clients who run their own data center/web hosting facilities and are looking at new spaces in various Class A office buildings. Obviously, I can go around and call all the providers, but it becomes a voicemail game.
View 14 Replies
View Related
Jul 8, 2008
Anyone got a list of available VPS platforms, perhaps with feedback? I run Plesk so I was going to run with Virtuozzo but I see Parallels don't want to give us pricing and I don't have time for that kind of rubbish. What alternatives are there?
View 2 Replies
View Related
May 28, 2008
Just got a new WiredTree VPS up and running. Service has been great so far. Make that super!
VPS newbie question: I would like to set a limit on emails for all domains but mine to some number per hour, but I would like mine to be unlimited. I'm not going to be sending a lot, but, when necessary, they will need to go fast. So far, the only way I have figured out how to keep unlimited for me is to not set a throttle at all and allow Mailman only on admin domains. If any user has to have lists, then I can authorize it then and maybe keep tabs on it.(There's probably a lot better way to say that, but I'm tired :-)
View 0 Replies
View Related
Apr 19, 2008
Can anyone give me a list of some of the top VPS providers?
View 13 Replies
View Related
Apr 28, 2008
I'm currently trying to gather a list of Xen VPS Prviders, maybe you can help me out making it a little bit longer?
Listed here in no particular order:
provps
gate2vn
xeneurope
gplhost
serveraxis
myvpshost
crucial paradgim
clustered
I know there are a lot more to it. But could you help me out making it longer?
View 14 Replies
View Related
Jul 17, 2007
root@server [~]# replace ns3.host.com ns1.host.com -- /var/named/*
-bash: /usr/bin/replace: Argument list too long
How can I work past this?
Using Centos 4.5 / cpanel
View 4 Replies
View Related
Aug 23, 2007
I have a client who is interested in settin up a paying mailing list for a website I built for him.
I figured since he doesn't want to spend $3000 for a full CMS, I would just do things manually.
A customer would pay through Paypal. He would then check PayPal for any new subscribers dailys, add them if new, and then send out his newsletter daily to the people who have paid.
In the mailing list software, there would be a box for how many days this person would be allowed to be sent an e-mail and then once his subscription was up, an e-mail would be sent out (the last part is optional).
Does anyone have any insight of a program/script that would work in this manner? Or maybe a decently cheap script that they know of? This site is a non-profit, donation site.
View 4 Replies
View Related
