1

My server seems to have been infected with a Trojan. I run a Ubuntu 14.04.3 LTS

When I approach one of the sites on my server my windows eset scanner blocks the link. Throwing a

"Trojan Iframe.MA"

detected.

When I scan with ClamAV after calling freshclam like so clamscan -r --bell --remove -i / clamscan found 1 infected file ... it removes it..

but then I also get 10.800 errors (Permission denied) some of the directories showing up are below

  • /sys/module/xt_tcpudp
  • /sys/module/xt_multiport
  • /sys/module/xt_conntrack

And the site still seems to be infected.

Does anyone recognize this issue? And what should I do about it?

It was suggested I should have run as root. Forgot to say I log in as root. Just to be sure I ran it again like so sudo clamscan -r --bell --remove -i /

I will just add this log summary this puts out

Known viruses: 4007738
Engine version: 0.98.7
Scanned directories: 28308
Scanned files: 133513
Infected files: 0
Total errors: 10828
Data scanned: 4755.18 MB
Data read: 5678.44 MB (ratio 0.84:1)
Time: 615.395 sec (10 m 15 s)

In the end I found out the virus was inside a theme for a joomla site. And was pushing out mail using PHPMailer. Almost got me blacklisted.

However the question about why ClamAV doesn't scan everything still stands. Thanks for having a look.

Marco Schoolenberg
  • 156
  • 1
  • 14
  • You have to run clamav as root. It is unlikely your server has a virus, and rather then deleting files with clamav you need to do more research as clamav throws false positives. – Panther Oct 08 '15 at 02:28
  • Hi, Thank you for that, I had been looking into that a little. However I am running it as root. – Marco Schoolenberg Oct 08 '15 at 03:34
  • bodhi.zazen I have added some logging after I ran sudo clamscan -r --bell --remove -i / – Marco Schoolenberg Oct 08 '15 at 03:57
  • So nothing was found on the scan. Not sure about the errors – Panther Oct 08 '15 at 14:13
  • See http://askubuntu.com/questions/591964/clamav-cant-read-file-error – Panther Oct 08 '15 at 14:33
  • tnx for the link. Well the first scan removed 1 infected file. But also produced these 10820 something errors – Marco Schoolenberg Oct 08 '15 at 18:21
  • The errors are not really a problem you need to worry about. I am net even sure you have a virus, linux av is notorious for false positives. You will need to read more, confirm results before you assume there is a problem, and provide more information on what clam reported was the problem with what file. Otherwise hard to guess. – Panther Oct 08 '15 at 18:29
  • See http://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav and https://help.ubuntu.com/community/ClamAV and https://help.ubuntu.com/community/Antivirus and https://wiki.ubuntu.com/BasicSecurity – Panther Oct 08 '15 at 18:51
  • Thanks again. I am a little late. I removed the virus in the end by copying all data to my windows machine and scan that directory with ESET for windows. Turned out to be inside a theme package for a Joomla site – Marco Schoolenberg Jan 05 '16 at 14:50

0 Answers0