Malware Domain List

Malware Related => Compromised Servers => Topic started by: Cyclone on November 02, 2009, 06:04:18 pm

Title: Infected with YES Exploit System
Post by: Cyclone on November 02, 2009, 06:04:18 pm
How can I remove this from the server? It is running cPanel.

I have proper access to remove it if I can find out how, please help!

All sites on the server have malicious JS at the bottom :(
Title: Re: Infected with YES Exploit System
Post by: MysteryFCM on November 02, 2009, 06:14:39 pm
Have you followed the instructions at;

http://www.malwaredomainlist.com/forums/index.php?topic=3122.0

??
Title: Re: Infected with YES Exploit System
Post by: SysAdMini on November 02, 2009, 06:15:28 pm
I don't think that your server has been infected with YES exploit System, but you can give us the url and we can look at it.
YES exploit kit doesn't infect/compromise servers. It is a exploit toolkit, sold by criminals. You have to pay for it to get it.
Nobody will install it on your server.

Your server has been compromised and some code has been installed. We can't give you detailed removal instruction, but
these guidelines can help you.

http://www.malwaredomainlist.com/forums/index.php?topic=3122.msg10857#msg10857
Title: Re: Infected with YES Exploit System
Post by: Cyclone on November 02, 2009, 06:40:01 pm
I mean that someone has used the toolkit to infect the server, not that someone installed it on there lol. That'd be pointless xD

I did all of those, but there is nothing in there about removing the actual infection.
Title: Re: Infected with YES Exploit System
Post by: MysteryFCM on November 02, 2009, 06:52:37 pm
To remove the infection, as documented in the thread referenced, you've two options;

1. Restore the sites files from a backup
2. Download a copy of the files from the server and go through them one by one to both ensure the files are yours (i.e. they've not added a backdoor shell), and remove the infections from the files

I strongly urge you to delete everything on the server (all folders and files) to ensure nothing is left behind (i.e. a backdoor), and restore the originals from a backup.

However, if you do not have a backup, download a copy of everything from the server (ALL files and folders), and go through them to ensure the files/folders present, are the original ones you put there, and go through each file to remove the infection manually.