0

I have a problem with a webserver that runs Centos4 with DirectAdmin.

Since a few weeks some websites hosted on it are not redirecting on search engines properly, they are redirected to some malware site, resulting in a ban from google.

Now I have used 3 virusscanners: ClamAV: Didn't find anything Bitdefender: Found a 2-3 files with JS infection, deleted them AVG: Finds lots of files, but doesn't have the option to clean!

The virus that it finds is: JS/Redir JS/Dropper

Still the strange thing is: website a (www.aa.com) does not have any infected files (have gone through all the files manually, is a custom PHP app, nothing special) but does still have the same virus. Website b (www.bb.com) does have the infected files as only one.

I deleted all these files and suspended the account, but no luck, still the same error.

I do get the log entries on the website from the searchengines so the DNS entries are not changed.

But now I have gone through the httpd files but cannot find anything.

Where can I start looking for this?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Roger Far
  • 341
  • 5
  • 17

3 Answers3

2

Maybe the problem is with the web server and not with the website itself? Perhaps the virus modified a script so that you can't detect the changes with a virus detector?

jmort253
  • 449
  • 6
  • 12
0

run chkrootkit and/or Rootkit Hunter I suspect that jmort253 is right and the server has been compromised. did you check for any funny .htacces files or conf files?

egorgry
  • 2,871
  • 2
  • 22
  • 21
  • Yeah I checked, but because DirectAdmin is on the server it's hell to look for a problem, I am not familiar with all scripts so actual DA scripts can look suspicious. RK hunter gave no results luckily. – Roger Far Jan 02 '11 at 21:15
0

Sounds like the binaries have been compromised. Difficult to contain, but not impossible. I'd def suggest backing up sites ONLY to a known good server - NOT keeping them on the same box.

Joe
  • 1