0

Hi, I work for a server that runs on apache and red hat. I need to get a anti-virus for the server as we have possible trojans that we need to quarantine. I appreciate any posts.

3
Contributors
5
Replies
6
Views
9 Years
Discussion Span
Last Post by jbennet
0

Well the unix version of trojans here is what I have.

Scan for Trojan Horses

Appears Clean


/dev/stderr


Scanning for Trojan Horses.....


Possible Trojan - /usr/sbin/pureauth


Possible Trojan - /usr/sbin/antirelayd


Possible Trojan - /usr/bin/pod2man


Possible Trojan - /usr/bin/pod2usage


Possible Trojan - /usr/bin/podchecker

Possible Trojan - /usr/bin/podselect


Possible Trojan - /usr/bin/psed


Possible Trojan - /usr/bin/pstruct


Possible Trojan - /usr/bin/s2p


Possible Trojan - /usr/bin/splain


Possible Trojan - /usr/bin/xsubpp


11 POSSIBLE Trojans Detected

1

Well, there's 3 possible causes:

- A virus got onto your system. This would most likely involve a virus exploiting a security hole in one of your daemons, or you or another administrator executing malicious code under the root account.
- A hacker broke into your system. They replaced a number of your system binaries with Trojans (and probably a hell of a lot of other stuff too).
- Your system is fine, that's just the result of a lousy Trojan-checker.

Since I find #1 extremely unlikely, and judging by the fact that you haven't even bothered to mention the name of the program that made these Trojan claims, nor has it provided any kind of proof on why it's making these claims, I would say that it's most likely to be case #3.

Of course, if you did manage to compromise the security of an entire server, I would recommend you wiping the entire OS and starting from scratch again. It's one thing to have a virus or two on a desktop computer, it's quite another when an entire network server gets compromised.

The first thing you should probably do is compare checksums between the suspected binaries and fresh copies downloaded from the web (remember to download the exact same version). If they match, then it was a false alarm. However, if you're finding quite a number of those binaries to have different checksums, then the security of your server has probably been compromised.

Votes + Comments
Thanks John. You gave a very detailed reply and is very helpful for people with this problem in the future. I looked at tons of sites with no answer.
0

Thanks it was #3 I had the techs at the company I work at update all of our software and doublecheck the server to make sure it is safe and it is. IT was a bad whm scanner.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.