My server seems to have been infected with a Trojan. I run a Ubuntu 14.04.3 LTS
When I approach one of the sites on my server my windows eset scanner blocks the link. Throwing a
"Trojan Iframe.MA"
detected.
When I scan with ClamAV after calling freshclam
like so clamscan -r --bell --remove -i /
clamscan found 1 infected file ... it removes it..
but then I also get 10.800 errors (Permission denied) some of the directories showing up are below
- /sys/module/xt_tcpudp
- /sys/module/xt_multiport
- /sys/module/xt_conntrack
And the site still seems to be infected.
Does anyone recognize this issue? And what should I do about it?
It was suggested I should have run as root. Forgot to say I log in as root.
Just to be sure I ran it again like so
sudo clamscan -r --bell --remove -i /
I will just add this log summary this puts out
Known viruses: 4007738
Engine version: 0.98.7
Scanned directories: 28308
Scanned files: 133513
Infected files: 0
Total errors: 10828
Data scanned: 4755.18 MB
Data read: 5678.44 MB (ratio 0.84:1)
Time: 615.395 sec (10 m 15 s)
In the end I found out the virus was inside a theme for a joomla site. And was pushing out mail using PHPMailer. Almost got me blacklisted.
However the question about why ClamAV doesn't scan everything still stands. Thanks for having a look.
