Recently my site's index.php file was replaced with some malicious javascript code.
I really don't know how it was added to the page.
Today when I tried to download the file via FTP, my local anti-virus software gave me a warning. I presume this means it was not uploaded from my computer.
Is there any way to install anti-virus software on my VPS (running CentOS 5 and Cpanel/WHM)?
Also what is mod_security. Will it be helpful in future?
There are a few places to start:
- Who was the owner of the file in question?
If the file was owned/writable by the Apache user the compromise could be in your actual code. If the file isn't owned/writable by Apache I'd next look at FTP.
- Have you checked the FTP logs?
Look through the logs and see if someone has downloaded your file, then re-uploaded a few seconds later (now with malicious content). This indicates your FTP details have been compromised. This is normally either by guessing an easy password, or by intercepting them, often from a compromised local windows PC used to upload the files.
The style of attack you describe is quite common. It's not an advanced attack, and will normally just be exploiting a simple security hole in your system (insecure passwords, poorly written code, etc).
mod_security is used to detected malicious code being executed by Apache (for instance SQL injection attacks). It won't stop the code being uploaded in the first place.
And in answer to your question, yes there are anti-virus applications available for Linux. Have a search for ClamAV as a starting place.
