From owner-freebsd-questions@FreeBSD.ORG Sat May 30 17:42:02 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97AAF106566C for ; Sat, 30 May 2009 17:42:02 +0000 (UTC) (envelope-from z.szalbot@lcwords.com) Received: from relay.lc-words.com (relay.lc-words.com [62.121.130.110]) by mx1.freebsd.org (Postfix) with ESMTP id 411498FC08 for ; Sat, 30 May 2009 17:42:02 +0000 (UTC) (envelope-from z.szalbot@lcwords.com) Received: from localhost (localhost [127.0.0.1]) by relay.lc-words.com (Postfix) with ESMTP id 3023FB8038 for ; Sat, 30 May 2009 19:40:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lcwords.com; s=mainlcwords; t=1243705256; bh=3v9y0lVpqlCsfVBxuT4VTEkS44eQokXYCCQJgTyIQuE=; h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type: Content-Transfer-Encoding; b=t18KG70D7qxo5U9HxUKhPGDEe/glcMhqS8SowOzQV+5hyAO1vF7t7CBGMO/4VyOfY CTze+XnhioO3qx5AHlNorMzayOB2DAUCfGdRIC/7zpp3JNUVv0zMOZY1i5mMiY9F1F e/Faz0n35qZyRpLNQd0vONf1jXSWM/16YV/9axwA= Received: from relay.lc-words.com ([127.0.0.1]) by localhost (relay.lc-words.com [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 37312-09 for ; Sat, 30 May 2009 19:40:56 +0200 (CEST) Received: from relay.lc-words.com (localhost [127.0.0.1]) by relay.lc-words.com (Postfix) with ESMTP id E6A7DB801E for ; Sat, 30 May 2009 19:40:55 +0200 (CEST) Received: from 77.254.184.81 (SquirrelMail authenticated user z.szalbot@lcwords.com) by relay.lc-words.com with HTTP; Sat, 30 May 2009 19:40:55 +0200 Message-ID: Date: Sat, 30 May 2009 19:40:55 +0200 From: "Zbigniew Szalbot" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-2 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Best practices in finding out a trojan X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 May 2009 17:42:02 -0000 Hello, I know this has practically no connection with FreeBSD but I have a site on a shared hosting and it appears the site got a trojan called JS:Cruzer-D. I cannot find anything about it as it appears to be relatively new (28 May). Anyway, I am trying to browse through the joomla cms files in hope of locating it. I haven't seen anything suspicious with the file modification time (and I have checked those which have been modified within 48h period. I am a bit stuck at the moment and if you can offer any advice on how to troubleshoot such things on a UNIX system, I'd be really, really thankful! There is some information about JS:Cruzer-C on the web but code of this trojan is not present on the infected website (I have grepped all the files today). Ah, I will add that the trojan is only reported by avast antivirus when people visit the site in IE (in other browers, this problem does not appear). Best regards, -- Zbigniew Szalbot