The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scan for Trojan Horse - Which is abnormal?

Discussion in 'Security' started by SuperBaby, Apr 18, 2010.

  1. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    My server was recently hacked. All index files were replaced.

    I scanned for trojan horses under WHM and I got these. Which one is abnormal, please?

    Appears Clean


    /dev/core
    /dev/stderr

    Scanning for Trojan Horses.....

    Possible Trojan - /usr/bin/dbiprof

    Possible Trojan - /etc/cron.daily/logrotate

    Possible Trojan - /usr/bin/sa-learn

    Possible Trojan - /usr/bin/sa-update

    Possible Trojan - /usr/bin/spamassassin

    Possible Trojan - /usr/bin/spamc

    Possible Trojan - /usr/bin/spamd

    Possible Trojan - /usr/bin/ptar

    Possible Trojan - /usr/bin/mysqlhotcopy

    Possible Trojan - /usr/sbin/pureauth

    Possible Trojan - /usr/bin/cpan

    Possible Trojan - /usr/bin/instmodsh

    Possible Trojan - /usr/bin/prove

    Possible Trojan - /usr/bin/pstruct

    Possible Trojan - /usr/sbin/antirelayd

    15 POSSIBLE Trojans Detected
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You are scanning the wrong computer! :rolleyes:

    What you just described is a new method of hacking where hackers setup a virus / keylogger on your own home computer to obtain your passwords and then just simply login to you your hosting accounts.

    Most of these have also been programmed to directly login and replace index files with links to distribute the virus to others, iframe insertions, etc

    The hacking isn't coming from your server but rather you home computer and that is the first place you need to start with this.
     
  3. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    First of all, thanks for the advice.

    I really doubt that the attack was from my computer. I have more than 20 web accounts under this server and every single file that was named index.* was replaced. I doubt that the hacker will login one by one. I have the latest Kapersky and scanning found nothing.

    I also found a file left by the hacker under /tmp. I suspect that the hacker has uploaded a malicious file from an unsecured Perl or PHP script through one of the users' websites.
     
  4. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Having a second thought, I suddenly recalled that I was using my friend's computer to access WHM just before the website was hacked. Her computer must have been infected by a trojan horse. Thanks for the advice. I now know which direction should I go.

    P/S: Is there any log I can check to see which files have been uploaded?
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    The attack was done precisely as I said in my last post

    ---- for this I am completely 100% certain

    The problem you face here though is what was done to the server
    using the stolen login information and that is the real question.

    If the password stolen was your root password, you already got problems and the server may be rooted or other changes made you are unaware.

    If your security is weak, they might of just simply cross site scripted once logging into one valid account.

    Unfortunately, based on your more recent comments, I have a strong suspicion that it was your root password that they obtained.

    Also just a side note, Kaspersky won't help you with the particular one as one of the very first things it does when activating is disables your antivirus detection so I would be very careful in placing blind trust there.

    There is an enormous number of posts around here related to this and you might want to do a few keyword searches on "china hack", "iframe", "base64" and "gumbler" as some of the earlier versions of this particular attack are pretty well documented and might be good source material for you to better understand what is going on here.
     
  6. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Unfortunately it was the root password. :(

    Thank you very much for all the valuable comments. Really appreciate.
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Would you like me to take a look around to see what damage has been done? I've sent you my contact information.
     
Loading...

Share This Page