The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential Virus

Discussion in 'Security' started by GoWilkes, Oct 15, 2010.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    A few days ago, the IT manager from a local bank emailed me and said that one of their employees had gotten a virus from my site (the only site on the server), so they were blocking the site from their system until the virus is corrected.

    I've also noticed the site running slow, in spite of a recent RAM upgrade (from 2G to 4G). I had assumed this problem was just on my end, but then someone emailed me and complained recently.

    The server is semi-managed, so I asked the managing company for help. They ran chkrootkit and found no problems, and didn't see anything unusual running in the background.

    A scan for trojans in WHM resulted this:

    Appears Clean
    /dev/core
    /dev/stderr

    Scanning for Trojan Horses....
    Possible Trojan - /usr/bin/cpan
    Possible Trojan - /usr/bin/instmodsh
    Possible Trojan - /usr/bin/prove
    Possible Trojan - /usr/bin/psed
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/s2p
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /etc/cron.daily/logrotate
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/sa-compile
    Possible Trojan - /usr/bin/sa-learn
    Possible Trojan - /usr/bin/sa-update
    Possible Trojan - /usr/bin/spamassassin
    Possible Trojan - /usr/bin/spamc
    Possible Trojan - /usr/bin/spamd
    Possible Trojan - /usr/sbin/antirelayd
    Possible Trojan - /usr/sbin/pureauth
    Possible Trojan - /usr/bin/ptar
    19 POSSIBLE Trojans Detected

    I know that most of these are OK, but I can't find information on others. Do you guys see anything here that doesn't look right?

    If not, then what's the next step in tracking down the speed issue and virus reported from the local bank? FWIW, I've already gone through the Beginner's Guide on here.

    TIA,

    Jason
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you looked at the actual web page they claim gave them the virus? Certainly it would be reproducible on the next persons visit I would think.

    Personally I'd start there.
     
  3. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    It could not be your server whats infected, The website you have may have some malicious html code which on view would download or attempt to install things with various pops and such...

    Install ClamAV and give it a good old scan, Check through the index page's and view via notepad and look whats has links or page redirect's in there.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd check the pages on your site for an invisible iframe down the bottom, that's the usual culprit.

    One would hope that, but not always. Some rootkits load an apache module which randomly inserts viruses, so sometimes they're there and sometimes not.
     
  5. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Some of them even remember who they've already served the virus/exploit code and don't try again on repeat visits.
     
Loading...

Share This Page