Malware Related > Compromised Servers

Infected with YES Exploit System

(1/1)

Cyclone:
How can I remove this from the server? It is running cPanel.

I have proper access to remove it if I can find out how, please help!

All sites on the server have malicious JS at the bottom :(

MysteryFCM:
Have you followed the instructions at;

http://www.malwaredomainlist.com/forums/index.php?topic=3122.0

??

SysAdMini:
I don't think that your server has been infected with YES exploit System, but you can give us the url and we can look at it.
YES exploit kit doesn't infect/compromise servers. It is a exploit toolkit, sold by criminals. You have to pay for it to get it.
Nobody will install it on your server.

Your server has been compromised and some code has been installed. We can't give you detailed removal instruction, but
these guidelines can help you.

http://www.malwaredomainlist.com/forums/index.php?topic=3122.msg10857#msg10857

Cyclone:
I mean that someone has used the toolkit to infect the server, not that someone installed it on there lol. That'd be pointless xD

I did all of those, but there is nothing in there about removing the actual infection.

MysteryFCM:
To remove the infection, as documented in the thread referenced, you've two options;

1. Restore the sites files from a backup
2. Download a copy of the files from the server and go through them one by one to both ensure the files are yours (i.e. they've not added a backdoor shell), and remove the infections from the files

I strongly urge you to delete everything on the server (all folders and files) to ensure nothing is left behind (i.e. a backdoor), and restore the originals from a backup.

However, if you do not have a backup, download a copy of everything from the server (ALL files and folders), and go through them to ensure the files/folders present, are the original ones you put there, and go through each file to remove the infection manually.

Navigation

[0] Message Index

Go to full version