Possible infection detected. How do I know?

jlpeifer

Verified User
Joined
Jun 6, 2006
Messages
88
I downloaded from my DA server a batch of user backup files to a local computer running a current version of ESET (Internet security program). ESET scanned the contents of the downloaded tar.gz files and reported that a single file was a "PHP/PhpShell.NBD trojan". The location of that file was /home/<user>/domains/<userdomain>/stats/. The name of the file was "defauls.php". I located the file on the DA server and isolated it.

My question is... how do I know what this file is and what it was doing on my server? Is it a false-positive, or a real issue?

I don't want to post the file's contents here for fear of being wrist-slapped. Can anyone assist?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
Strange, you should have al ook at the contents of that file. I don't have a defaults.php in my stats folder. But that does not directly mean that is a problem.

I would install maldetect and maybe to a manual scan of the /home/user/domains/userdomain folder in total.
This way also public_html is scanned.
 

jlpeifer

Verified User
Joined
Jun 6, 2006
Messages
88
Thanks Richard, I did have a look at the contents, but since I don't program PHP it's all gibberish to me. It's just 1 line of code with about 120 characters. I'd love to post the contents but don't want to draw the ire of the admins.

And thanks for the Maldetect link. I'll check it out.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
You're welcome.
Maldetect can check a lot for you. I also don't have a lot of PHP programming skills, but you can read php. If a lot is coded or you see some teskt like "base64", you can almost be sure that in that directory, it's malicious.
 
Top