Trojan :: How To Clean Server?
Aug 7, 2007my whm Trojan scanner found 23 possible Trojans.
how can i clean my server?
ADVERTISEMENT
Clean Up Your Dedicated Server
Jan 5, 2009I think it's due time to clean up one of my server's. It's very time consuming to sit and try to go through the daily and weekly backup folders or the reseller center of WHM and compare accounts so that I know which backups stay and which backups go.
Whats the best way to clean up all those old backups? Would it be possible to just delete everything in them and then do something like copy the /home/ folder which has all active accounts over into the backup? Or just let the daily backup do it's thing?
How To Install Gcc On A Clean Slackware Server
Mar 12, 2007how I can install GCC on a clean slackware 10.2 server. It doesnt have any cc compiler, so am not able to compile gcc. Are there any binaries of c compilers for slackware?
View 9 Replies View RelatedImaging Windows 2003 Server Clean Setup
Jun 11, 2008We are setting up 5 instances of Windows 2003 server on all the same server hardware. I want to spend the time setting up 1 instance, so installing windows updates, drivers, settings, configuration, then have the ability to mirror/image that perfect setup 4 other times.
View 2 Replies View RelatedLKM Trojan?
Aug 20, 2007I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output:
# ./chkproc
You have 14 process hidden for readdir command
You have 14 process hidden for ps command
Searching for LKM trojans shows the following output:
# ./chkrootkit -x lkm
EXE 9994: /usr/sbin/named
CWD 9995: /var/named
EXE 9995: /usr/sbin/named
CWD 9996: /var/named
EXE 9996: /usr/sbin/named
CWD 9997: /var/named
EXE 9997: /usr/sbin/named
CWD 9998: /var/named
EXE 9998: /usr/sbin/named
CWD 26293: /var/lib/mysql
EXE 26293: /usr/sbin/mysqld
CWD 26294: /var/lib/mysql
EXE 26294: /usr/sbin/mysqld
CWD 26295: /var/lib/mysql
EXE 26295: /usr/sbin/mysqld
CWD 26296: /var/lib/mysql
EXE 26296: /usr/sbin/mysqld
CWD 26297: /var/lib/mysql
EXE 26297: /usr/sbin/mysqld
CWD 26298: /var/lib/mysql
EXE 26298: /usr/sbin/mysqld
CWD 26299: /var/lib/mysql
EXE 26299: /usr/sbin/mysqld
CWD 26300: /var/lib/mysql
EXE 26300: /usr/sbin/mysqld
When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again.
Can it be a false alarm, or should i really be worried? What do you advise me to do now?
Trojan C99Shell
Jul 1, 2009I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
What To Use To Scan For Trojan?
Jun 2, 2009We have a client claming that she gets a Trojan warming when she trys to access her website but using the Trojan scan in cpanel doesn't show anything.
What can we use to scan for Trojan?
15 POSSIBLE Trojan Detected WHM
Aug 3, 2007i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )
and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected
How i can solve this ?? and remove this trojans .
Trojan :: 687 POSSIBLE Trojans?
Mar 21, 2008I just ran a scan for trojan horses in WHM and it came up with "687 POSSIBLE Trojans". WTH? Are these real trojan horses? If so, how do I remove them?
View 2 Replies View RelatedPHP.Backdoor.Trojan
Apr 29, 2008As usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan.
I take a look file location and found current file with name xTgsj78Jn.txt
Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error.
When deleted it i use command rm -r with root access,then I do ls -l and found details file like below.
-rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt*
Please help me to delete this file.
FYI this file uploaded to my hosting file site.
RPM Clean Up
Jun 6, 2009How do you go about figuring out what to remove?
Example(groups):
Installed Groups:
Administration Tools
Base
Development Tools
Dial-up Networking Support
Editors
Input Methods
Legacy Fonts
Mail Server
MySQL Database
Network Servers
Printing Support
System Tools
Text-based Internet
Web Server
I'm sure its safe to remove printing, dial up, fonts, editors?, and web server(installed nginx).
but when I list individual RPMs i have over a few 100 to go through. anyone know of a few documents to help my research go faster?
/tmp Clean?
Jan 20, 2008I have some problems with /tmp:
When /tmp is more 20-50% clean out /tmp directory :
rm -f /tmp/sess_*
rm -f /tmp/*.wrk
it cleans tmp folder, but size folder still big and 50% . I fix it :
Run the following commands :
/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK
/scripts/securetmp
and it's OK.
The partitions remount only helps to fix it. Is it problem the file system ext3 ? Is there a wey yet to fix /tmp ?
FC6
cPanel
tmpfs ext3=2 Gb.
Trojan-Downloader.JS.Psyme.hz
Aug 12, 2007I have an hosting account at OXEO.com and I have trojan problems on all my websites
The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz
I checked my websites on Google and Google is warning users for this kind of problems for one of my websites
Does anybody here has experienced the same problem?
Possible Trojan List By WHM - Do I Need To Worry?
Nov 8, 2007I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected
Is there anything that looks fishy here?
How-to - Rootkit Scan (trojan Etc)
Jan 21, 2004What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
How To Remove Virus/Trojan
Dec 7, 2008how can I remove a Virus/Trojan from my website?
View 6 Replies View RelatedHow To Clean All IP From Iptables
May 10, 2007In APF I can download deny_hosts.rules and delete all the IP there but how about iptalbes?
I tried to find the file that store the IP but I couldn't find it.
I flushed the iptalbes but when I restart it all the ip come back.
Code:
iptables --flush
and I also tried
Code:
[url]
Where is the ip stored at iptalbes?
Websites Infected With Trojan How To Solve?
Nov 16, 2008i see my websites are infected with some trojan.
there are some iframe tag simlilar to this in all index files
<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.
i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?
Trojan-Downloader.JS.Psyme.hz Remover
Aug 3, 2007can any body help me with the Trojan-Downloader.JS.Psyme.hz remover?
i can't find an remover for linux server for this trojan.
Trojan-Clicker.HTML.IFrame.amh
Nov 6, 2009I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.
Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.
I need a shared hosting provider which ranks higher than most in terms of security.
Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.
Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:
File generated by Rogers Online Protection Anti-Virus
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:25 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:29 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:21:31 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:22:18 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
Best Way To Clean A Hacked Site?
Nov 9, 2009What is the best way to clean a hacked site?
All of the pages have iframe injection and my only backup was made after the attack.
I have hundreds of pages, do I have to edit them all manually?
Way To Clean Up /boot Partition
Mar 14, 2008I've got Centos 4 and I'm wondering what's the best way to cleanup my /boot partition?
Tried to do a yum update tonight and it included kernel, amongst other updates that belonged there so it stopped. I've googled around for commands to run and whatnot, but no go... or I just can't find it... if I had to clean it up I have an idea already about what to do, but I want to ask for advice first to see if there's an easier way.
so, how do people here clean up that partition?
How To Clean Mail Inbox
Jun 15, 2008By default,when domain is created by default it redirect all unrouted mail to default mail.And since i didnt notice that on time,now there is 100k mails.How do i delete that instantly?
View 7 Replies View RelatedClean Inboxs From Spam
Jul 3, 2007one of my customers, he gets a lot of spam emails. So i tell him to enable SpamAssassin.
He also tell me if i can clean the his users inboxs (20000+ emails). Not to delete all as they have emails that they need.
The 20000+ emails are before he enable SpamAssassin.
I need something to scans emails inboxs and move the spams to another folder.
Is possible to scan emails folders with spamassassin
Clean Memory, Linux
Jul 21, 2007Is there a command to clean up my Memory in Linux?
I use Plesk 8, Linux
When i execute "free -m" command it shows me:
total used free shared buffers cached
Mem: 1006 959 47 0 136 567
-/+ buffers/cache: 254 752
Swap: 4095 0 4095
Version:
Command: free -V
Result: procps version 3.2.3
Trojan-Clicker.HTML.Iframe.g In My Website? What Is This??
Sep 4, 2007I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried.
the trojan that appears to my user is:
Trojan-Clicker.HTML.Iframe.g
someone know why i have this trojan?
Now the users refuses to open my website!! i'm more than worried
this is an printscreen of the error: ...
Trojan Detected On Initial Load Of Site
Jan 8, 2008I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!
I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.
Anyone have any suggestions?
How To Be Sure That IP Addresses Assigned From Host Are 'clean'
Nov 10, 2008I'm just curious, when getting IPs with a VPS or Dedicated server, is there any steps to take to make sure the IPs were used by a previous customer to spam or in other way get them blacklisted by Yahoo, AOL, Gmail, etc.?
View 6 Replies View RelatedClean Old Accounts From Exim / CPanel
Nov 8, 2007We are having trouble with disk space on some of our shared hosting servers and we are wondering if anyone have a script to clean e-mails from exim not checked in the last 60 days ?
View 1 Replies View RelatedLinux: How To Clean Format A Disk
Oct 17, 2007How do i format a secondary drive in Ubuntu? I want to get the drive ready for RAID so it must be clean.
View 2 Replies View RelatedPrevent Of Execution Trojan Shell Scripts, Like R57shell And Other?
Oct 27, 2006Which configuration for php and server that prevent execute shell scripts?
Which funstions you recommend to disable?
Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit