Re: Best practices in finding out a trojan
On Saturday 30 May 2009 19:40:55 Zbigniew Szalbot wrote: > I know this has practically no connection with FreeBSD but I have a site > on a shared hosting and it appears the site got a trojan called > JS:Cruzer-D. I cannot find anything about it as it appears to be > relatively new (28 May). Anyway, I am trying to browse through the joomla > cms files in hope of locating it. I haven't seen anything suspicious with > the file modification time (and I have checked those which have been > modified within 48h period. Normally, grep and find would do it, or running clamav over the system. However, from what I'm reading on the web, avast gives false positives for this trojan. Even flagging a gif image: http://forum.avast.com/index.php?topic=45730.msg383138#msg383138 So I wouldn't worry about finding it, but more about informing your users that there is no trojan on the site and that they should complain with avast about this issue. You could ask visitors to try and identify the file that sets off this false positive. Procedure for that is described in above post. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Best practices in finding out a trojan
Hello, I know this has practically no connection with FreeBSD but I have a site on a shared hosting and it appears the site got a trojan called JS:Cruzer-D. I cannot find anything about it as it appears to be relatively new (28 May). Anyway, I am trying to browse through the joomla cms files in hope of locating it. I haven't seen anything suspicious with the file modification time (and I have checked those which have been modified within 48h period. I am a bit stuck at the moment and if you can offer any advice on how to troubleshoot such things on a UNIX system, I'd be really, really thankful! There is some information about JS:Cruzer-C on the web but code of this trojan is not present on the infected website (I have grepped all the files today). Ah, I will add that the trojan is only reported by avast antivirus when people visit the site in IE (in other browers, this problem does not appear). Best regards, -- Zbigniew Szalbot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
