OJB Posted January 11, 2007 Posted January 11, 2007 Hey gang Today I went to download a full backup of my site, as I do from time to time just in case the worst does happen. Anyway, during my download NOD32 antivirus system popped up an alert. It warned me that the .tar.gz full backup file I was downloading contained a trojan, more specifically the PHP/Rst.I trojan. Now this immediately rang alarm bells meaning that there must be a trojan on my domain. I tried searching for PHP/Rst.I trojan on google but it didn't turn up anything of any use. Does anyone know firstly what this trojan is? Secondly, how should I go about removing it and finding it? Obviously NOD32 alerted me to an archive, not to a specific area on my domain, I have no idea how to locate or remove it. Any help would be greatly appreciated thanks OJB Quote
TCH-Thomas Posted January 11, 2007 Posted January 11, 2007 I don´t use NOD so I dont know how it works, but doesn´t it tell in which file the trojan is found? If not, and this might not be the smartest way of doing this, so be cautious, but I would extract the backup file and re run the scan and see if it then will tell what file it is. Then delete the extracted backup files and re run the scan again to see nothing bad happened to your computer. Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 Well as it was just the archive all NOD told me was that there was a trojan present in it, at which point I terminated the download. I will download it again and if it happens again then I will try what you say. Cheers for the suggestion Quote
TCH-Thomas Posted January 11, 2007 Posted January 11, 2007 Since its not telling you what file is infected it can be in an email waiting to be downloaded etc, which an extracted archive would tell. Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 actually.. I just dove deeper into the NOD32 threat log and there is a highlighted file in the archive. I am going to go investigate the file now. Thanks alot thomas mate, appreciate it! Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 problem solved i think I found two very suspicious PHP files rooted into one of my folders that shouldn't have been there. I have now removed them and changed the permissions on that folder. Quote
TCH-Thomas Posted January 11, 2007 Posted January 11, 2007 Good. One other thing I recommend you to do is to replace all passwords (cpanel, scripts etc) with new ones, so no one can do this again, since it to me sounds like there was some bad guys visiting your account. Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 Thanks thomas, I have changed my CPanel password. Incidentally, is there any way to virus scan a domain? So for example, I virus scan all my directories from time to time? Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 (edited) ok never mind then, NOD32 seems pretty decent and so will probably keep things in check through downloading backups. one final question (sorry to bug you so much), I want to change my MySQL user passwords too while I am at it, is there anyway to do this via cpanel, only way I can see is by deleting a user and remaking them. Edited January 11, 2007 by OJB Quote
TCH-Bruce Posted January 11, 2007 Posted January 11, 2007 You can use phpAdmin to edit the database directly but changing by adding a new user/password and deleting the current one would be easiest. Quote
TCH-Andy Posted January 11, 2007 Posted January 11, 2007 just create a user with the same name, and new password in cpanel - and that will effectively change the password. Quote
OJB Posted January 11, 2007 Author Posted January 11, 2007 ok thanks guys... All is sorted now, changed all my passwords relating to scripts and CPanel (hence also email and FTP) thanks for all the help as per usual Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.