Hi, I work for a server that runs on apache and red hat. I need to get a anti-virus for the server as we have possible trojans that we need to quarantine. I appreciate any posts.
tiger86 16 Posting Pro
John A 1,896 Vampirical Lurker Team Colleague
What gives you the impression that you might have Trojans on your system?
tiger86 16 Posting Pro
Well the unix version of trojans here is what I have.
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /usr/sbin/antirelayd
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podcheckerPossible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/psed
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/s2p
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
11 POSSIBLE Trojans Detected
John A 1,896 Vampirical Lurker Team Colleague
Well, there's 3 possible causes:
- A virus got onto your system. This would most likely involve a virus exploiting a security hole in one of your daemons, or you or another administrator executing malicious code under the root account.
- A hacker broke into your system. They replaced a number of your system binaries with Trojans (and probably a hell of a lot of other stuff too).
- Your system is fine, that's just the result of a lousy Trojan-checker.
Since I find #1 extremely unlikely, and judging by the fact that you haven't even bothered to mention the name of the program that made these Trojan claims, nor has it provided any kind of proof on why it's making these claims, I would say that it's most likely to be case #3.
Of course, if you did manage to compromise the security of an entire server, I would recommend you wiping the entire OS and starting from scratch again. It's one thing to have a virus or two on a desktop computer, it's quite another when an entire network server gets compromised.
The first thing you should probably do is compare checksums between the suspected binaries and fresh copies downloaded from the web (remember to download the exact same version). If they match, then it was a false alarm. However, if you're finding quite a number of those binaries to have different checksums, then the security of your server has probably been compromised.
tiger86 commented: Thanks John. You gave a very detailed reply and is very helpful for people with this problem in the future. I looked at tons of sites with no answer. +1
tiger86 16 Posting Pro
Thanks it was #3 I had the techs at the company I work at update all of our software and doublecheck the server to make sure it is safe and it is. IT was a bad whm scanner.
jbennet 1,618 Most Valuable Poster Team Colleague Featured Poster
I think you can get ClamAV and AVG for linux anyway
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.