-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with the assessment that tikiwiki is a potential vector. FWIW, though, even an older version of ClamAV is better than nothing if updated with the latest virus signatures (as you would do with any AV app). 'freshclam' is the order of the day.
I don't want to be alarmist, as I've never delved into "PHP virii" much, but that "lndex.html" (note the initial lower-case "L" rather than an "I") containing PHP.ShellExec sounds a little more ominous than I like on my Friday afternoons... Cheers, - -sth sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com Yes, my television runs Linux, too. Yes, really. http://mythtv.org Bjorn Behrendt wrote: | I installed ClamAv - unfortunatly the version of ubuntu server I have | running is not the latest, and the clamav in the repository is not the | most up to date. I tried to install from source, but got plenty of | errors compile errors. | | Here is a clamav (old version) log: | //var/www/rcsu/tikiwiki/dump/s.php: PHP.Defash.B FOUND | //var/www/rcsu/tikiwiki/styles/style.php: PHP.ShellExec FOUND | //var/www/rcsu/tikiwiki/files/lndex.php: PHP.ShellExec FOUND | //var/www/rcsu/tikiwiki/backups/r.php: PHP.Shell FOUND | | I shut off samba, but I have a feeling it is more of a tikiwiki exploit | upload thing. I am going to just delete the files, update tikiwiki, | update ubuntu server and make sure that clamav is the latest. | | ----- Original Message ----- | From: "Bjorn Behrendt" <[EMAIL PROTECTED]> | To: [email protected] | Sent: Friday, July 18, 2008 1:38:48 PM GMT -05:00 US/Canada Eastern | Subject: virus found on web server | | Please help, I don't know how to clean a virus from a linux webserver. | My webserver keeps flooding our network untill everything crashes, and | when I did a manual backup the other day my antivirus poped up with an | infection, see attached. | | Bjorn Behrendt | Proctor School District | [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiBAC8ACgkQX8KByLv3aQ0jVgCfbmFZfyb8iRw23svt3U70P1Hu 8WwAoIH+crAScoSPY5cg1xWhdRlFpokh =Q1ZL -----END PGP SIGNATURE-----
