Virus on the server?

[scooby_london]

Hi Guys,

Im running latest cpanel release in centOS 5 box and i figured out few days ago that some of my sites do dogy thigs.

when you are pionting browser to the site (IE7) site is showing box which redirecting to another server and trying to download some exe file.

Its not happening al the time and not for all sites.

I've checked code of the sites and its nothing wrong with it.

How I should find the problem?

Any Ideas?

[cPanelMattCurry]

Hello,

I am sorry to hear that you are having this issue. This does sound odd, and if you know for sure that it is not supposed to be doing that I would recommend speaking with your Data Center to see if they can help with securing the server. Please let me know if you have any other questions.

Thank you,
Matthew Curry

[scooby_london]

I think, its nothing wrong with datacenter. I've seen that something similar happens previously to others.

Already spoke with datacenter.

Basically my cpanel server gets hacked and it doing that IE expoits.

Anyone has that thing?

What I suppose to do now?

[Spiral]

First thing you need to determine is the source of the redirects ....

If you are seeing nothing in the site files, it is highly likely that your own computer at home is infected with a trojan or virus causing your internet connection to be hijacked erratically. This is actually fairly common and is also in use by a lot of advertisers as well who use spyware to force redirects of your internet connection.

I would get very good virus, spyware, trojan scanners with the latest updates and do full complete scans of your computer.

Moving on from that ....

It is possible that your server may have also been compromised. That is a little bit more difficult to deal with and there is no magic solution I can just tell you since there are so many areas you need to check, so many things you need to review to be sure about your server. If you like though, I can give you a hand with that.

[scooby_london]

Hi Spiral,

Im 100% sure that is not my local machine problem. This has been tested in few places and it seem to be server thing.

I'm running cpanel servers for few years and never had that thing.

Can you tell me how to check it?

It is quiet important for me.

[scooby_london]

just runned WHM trojan horses scan:

-Possible Trojan - /usr/bin/aspell
-Possible Trojan - /usr/bin/prezip-bin
-Possible Trojan - /usr/bin/word-list-compress
-Possible Trojan - /usr/bin/cpan
-Possible Trojan - /usr/bin/instmodsh
-Possible Trojan - /usr/bin/prove
-Possible Trojan - /etc/cron.daily/logrotate
-Possible Trojan - /usr/sbin/pureauth
-Possible Trojan - /usr/sbin/antirelayd


Any ideas/references to those files?

[ramprage]

Check your page source code on different browsers.

- IE and firefox

There are a few different hacks that are common, the most common lately is hidden iframes in websites. They usually are easy to find and sometimes harder to detect. They can be inserted by javascript or raw HTML. The purpose of them is usually to secretly direct the user to a site which tries to exploit the users local system and turn it into a bot or mine the users system for credit card information ,etc...


How they modify the source of your page can be in a few different ways:
- they have root access to your server from outdated software like a kernel
- they have a local account exploit or another user account exploit like a vulnerable php script to upload and execute scripts
- they have gained access to a users FTP account through stealing the password by infected the users PC with malware

The scanning tools provided in WHM are basically completely useless, so don't rely on them.

I suggest you hire someone to investigate your system and get this resolved. Keeping your site online will result in infecting more users and can get your site blocked from Google completely.

[Spiral]

just runned WHM trojan horses scan:

-Possible Trojan - /usr/bin/aspell
-Possible Trojan - /usr/bin/prezip-bin
-Possible Trojan - /usr/bin/word-list-compress
-Possible Trojan - /usr/bin/cpan
-Possible Trojan - /usr/bin/instmodsh
-Possible Trojan - /usr/bin/prove
-Possible Trojan - /etc/cron.daily/logrotate
-Possible Trojan - /usr/sbin/pureauth
-Possible Trojan - /usr/sbin/antirelayd


Any ideas/references to those files?

That's not really a "Trojan" detector per say ....

All that script really does is detects recent file changes which may in fact be perfectly normal if you received any system updates, etc.

I wouldn't worry about any of those above.

I received your other message and whenever I can catch up to you,
we'll get to the bottom of things fairly quickly.