Potential Virus

[GoWilkes]

A few days ago, the IT manager from a local bank emailed me and said that one of their employees had gotten a virus from my site (the only site on the server), so they were blocking the site from their system until the virus is corrected.

I've also noticed the site running slow, in spite of a recent RAM upgrade (from 2G to 4G). I had assumed this problem was just on my end, but then someone emailed me and complained recently.

The server is semi-managed, so I asked the managing company for help. They ran chkrootkit and found no problems, and didn't see anything unusual running in the background.

A scan for trojans in WHM resulted this:

Appears Clean
/dev/core
/dev/stderr

Scanning for Trojan Horses....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/psed
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/s2p
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/sa-compile
Possible Trojan - /usr/bin/sa-learn
Possible Trojan - /usr/bin/sa-update
Possible Trojan - /usr/bin/spamassassin
Possible Trojan - /usr/bin/spamc
Possible Trojan - /usr/bin/spamd
Possible Trojan - /usr/sbin/antirelayd
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /usr/bin/ptar
19 POSSIBLE Trojans Detected

I know that most of these are OK, but I can't find information on others. Do you guys see anything here that doesn't look right?

If not, then what's the next step in tracking down the speed issue and virus reported from the local bank? FWIW, I've already gone through the Beginner's Guide on here.

TIA,

Jason

[Infopro]

local bank emailed me and said that one of their employees had gotten a virus from my site

Have you looked at the actual web page they claim gave them the virus? Certainly it would be reproducible on the next persons visit I would think.

Personally I'd start there.

[GaryT]

It could not be your server whats infected, The website you have may have some malicious html code which on view would download or attempt to install things with various pops and such...

Install ClamAV and give it a good old scan, Check through the index page's and view via notepad and look whats has links or page redirect's in there.

[brianoz]

I'd check the pages on your site for an invisible iframe down the bottom, that's the usual culprit.

Have you looked at the actual web page they claim gave them the virus? Certainly it would be reproducible on the next persons visit I would think.

One would hope that, but not always. Some rootkits load an apache module which randomly inserts viruses, so sometimes they're there and sometimes not.

[dragon2611]

I'd check the pages on your site for an invisible iframe down the bottom, that's the usual culprit.


One would hope that, but not always. Some rootkits load an apache module which randomly inserts viruses, so sometimes they're there and sometimes not.

Some of them even remember who they've already served the virus/exploit code and don't try again on repeat visits.