Author Topic: Infected with YES Exploit System  (Read 13351 times)

0 Members and 1 Guest are viewing this topic.

November 02, 2009, 06:04:18 pm
Read 13351 times

Cyclone

  • Newbie

  • Offline
  • *

  • 3
How can I remove this from the server? It is running cPanel.

I have proper access to remove it if I can find out how, please help!

All sites on the server have malicious JS at the bottom :(

November 02, 2009, 06:14:39 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

November 02, 2009, 06:15:28 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I don't think that your server has been infected with YES exploit System, but you can give us the url and we can look at it.
YES exploit kit doesn't infect/compromise servers. It is a exploit toolkit, sold by criminals. You have to pay for it to get it.
Nobody will install it on your server.

Your server has been compromised and some code has been installed. We can't give you detailed removal instruction, but
these guidelines can help you.

http://www.malwaredomainlist.com/forums/index.php?topic=3122.msg10857#msg10857
Ruining the bad guy's day

November 02, 2009, 06:40:01 pm
Reply #3

Cyclone

  • Newbie

  • Offline
  • *

  • 3
I mean that someone has used the toolkit to infect the server, not that someone installed it on there lol. That'd be pointless xD

I did all of those, but there is nothing in there about removing the actual infection.

November 02, 2009, 06:52:37 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
To remove the infection, as documented in the thread referenced, you've two options;

1. Restore the sites files from a backup
2. Download a copy of the files from the server and go through them one by one to both ensure the files are yours (i.e. they've not added a backdoor shell), and remove the infections from the files

I strongly urge you to delete everything on the server (all folders and files) to ensure nothing is left behind (i.e. a backdoor), and restore the originals from a backup.

However, if you do not have a backup, download a copy of everything from the server (ALL files and folders), and go through them to ensure the files/folders present, are the original ones you put there, and go through each file to remove the infection manually.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net