Hi,
I found a virus on my server today.
I found the virus before and i did a re-install this weekend of my server but as you see it returned. The virus is rebooting my server randomly. It was gone for 3-4 days but the evening it started again. I'm going to shutdown the ClearOS server but I'm not sure what the infection source is. The first three are false positives. Nick also pointed this out. I also detected the three files when I scanned the ClearOS server after installation. The other looks like a Windows Trojan. I have only one VM on unRAID running Windows. EDIT: I scanned the Windows VM and it's clean. Please some guidance.
I found a virus on my server today.
[root@voyager /]# clamscan -ri --exclude-dir=/sys
/etc/snort.d/rules/clearcenter/activex.rules: Win.Trojan.cve_2011_2657-1 FOUND
/etc/snort.d/rules/clearcenter/current_events.rules: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND
/etc/snort.d/rules/clearcenter/deleted.rules: Html.Trojan.Blackhole-65 FOUND
/var/clearos/configuration_backup/backup-voyager_lionux_nl-07-02-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND
/var/clearos/configuration_backup/backup-voyager_lionux_nl-07-03-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND
/var/clearos/configuration_backup/backup-voyager_lionux_nl-07-04-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND
/usr/lib64/gconsole/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6771035
Engine version: 0.99.3
Scanned directories: 15192
Scanned files: 50596
Infected files: 7
Data scanned: 2910.37 MB
Data read: 2377.13 MB (ratio 1.22:1)
Time: 682.111 sec (11 m 22 s)
You have new mail in /var/spool/mail/root
[root@voyager /]#
I found the virus before and i did a re-install this weekend of my server but as you see it returned. The virus is rebooting my server randomly. It was gone for 3-4 days but the evening it started again. I'm going to shutdown the ClearOS server but I'm not sure what the infection source is. The first three are false positives. Nick also pointed this out. I also detected the three files when I scanned the ClearOS server after installation. The other looks like a Windows Trojan. I have only one VM on unRAID running Windows. EDIT: I scanned the Windows VM and it's clean. Please some guidance.
In Water Cooler
Share this post:
Accepted Answer
I'm not worried about the snort rules or the backup files (which contain the snort rules but the scanner is probably only returning the first hit). The other one is the same on mine. I don't have the time/patience for a full scan but:
[root@server ~]# clamscan -ri /usr/lib64/gconsole/browser
/usr/lib64/gconsole/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6867100
Engine version: 0.99.3
Scanned directories: 9
Scanned files: 11
Infected files: 1
Data scanned: 61.80 MB
Data read: 13.55 MB (ratio 4.56:1)
Time: 56.201 sec (0 m 56 s)
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »