Trojan Issue

[OJB]

Hey gang

 

Today I went to download a full backup of my site, as I do from time to time just in case the worst does happen.

 

Anyway, during my download NOD32 antivirus system popped up an alert. It warned me that the .tar.gz full backup file I was downloading contained a trojan, more specifically the PHP/Rst.I trojan.

 

Now this immediately rang alarm bells meaning that there must be a trojan on my domain. I tried searching for PHP/Rst.I trojan on google but it didn't turn up anything of any use.

 

Does anyone know firstly what this trojan is? Secondly, how should I go about removing it and finding it? Obviously NOD32 alerted me to an archive, not to a specific area on my domain, I have no idea how to locate or remove it.

 

Any help would be greatly appreciated thanks

 

OJB

[TCH-Thomas]

I don´t use NOD so I dont know how it works, but doesn´t it tell in which file the trojan is found?

If not, and this might not be the smartest way of doing this, so be cautious, but I would extract the backup file and re run the scan and see if it then will tell what file it is.

 

Then delete the extracted backup files and re run the scan again to see nothing bad happened to your computer.

[OJB]

Well as it was just the archive all NOD told me was that there was a trojan present in it, at which point I terminated the download. I will download it again and if it happens again then I will try what you say.

 

Cheers for the suggestion

[TCH-Thomas]

Since its not telling you what file is infected it can be in an email waiting to be downloaded etc, which an extracted archive would tell.

[OJB]

actually..

 

I just dove deeper into the NOD32 threat log and there is a highlighted file in the archive. I am going to go investigate the file now.

 

Thanks alot thomas mate, appreciate it!

[OJB]

problem solved i think

 

I found two very suspicious PHP files rooted into one of my folders that shouldn't have been there. I have now removed them and changed the permissions on that folder.

[TCH-Thomas]

Good.

 

One other thing I recommend you to do is to replace all passwords (cpanel, scripts etc) with new ones, so no one can do this again, since it to me sounds like there was some bad guys visiting your account.

[OJB]

Thanks thomas, I have changed my CPanel password.

 

Incidentally, is there any way to virus scan a domain? So for example, I virus scan all my directories from time to time?

[TCH-Thomas]

Not that I am aware of, sorry.

[OJB]

ok never mind then, NOD32 seems pretty decent and so will probably keep things in check through downloading backups.

 

 

one final question (sorry to bug you so much), I want to change my MySQL user passwords too while I am at it, is there anyway to do this via cpanel, only way I can see is by deleting a user and remaking them.

Edited January 11, 2007 by OJB

[TCH-Bruce]

You can use phpAdmin to edit the database directly but changing by adding a new user/password and deleting the current one would be easiest.

[TCH-Andy]

just create a user with the same name, and new password in cpanel - and that will effectively change the password.

[OJB]

ok thanks guys...

 

All is sorted now, changed all my passwords relating to scripts and CPanel (hence also email and FTP)

 

thanks for all the help as per usual