From owner-freebsd-questions@FreeBSD.ORG  Sat May 30 17:59:56 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 30DDF106566C
	for <freebsd-questions@freebsd.org>;
	Sat, 30 May 2009 17:59:56 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net)
Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id F30C08FC1A
	for <freebsd-questions@freebsd.org>;
	Sat, 30 May 2009 17:59:55 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net)
Received: from sarevok.dnr.servegame.org (mailhub.rachie.is-a-geek.net
	[192.168.2.11])
	by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 4F5247E837;
	Sat, 30 May 2009 09:59:54 -0800 (AKDT)
From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net>
To: freebsd-questions@freebsd.org
Date: Sat, 30 May 2009 19:59:52 +0200
User-Agent: KMail/1.11.3 (FreeBSD/8.0-CURRENT; KDE/4.2.3; i386; ; )
References: <a31e43211ecedf2849a84013a6f25f83.squirrel@relay.lc-words.com>
In-Reply-To: <a31e43211ecedf2849a84013a6f25f83.squirrel@relay.lc-words.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200905301959.52552.mel.flynn+fbsd.questions@mailing.thruhere.net>
Cc: Zbigniew Szalbot <z.szalbot@lcwords.com>
Subject: Re: Best practices in finding out a trojan
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2009 17:59:56 -0000

On Saturday 30 May 2009 19:40:55 Zbigniew Szalbot wrote:

> I know this has practically no connection with FreeBSD but I have a site
> on a shared hosting and it appears the site got a trojan called
> JS:Cruzer-D. I cannot find anything about it as it appears to be
> relatively new (28 May). Anyway, I am trying to browse through the joomla
> cms files in hope of locating it. I haven't seen anything suspicious with
> the file modification time (and I have checked those which have been
> modified within 48h period.

Normally, grep and find would do it, or running clamav over the system. 
However, from what I'm reading on the web, avast gives false positives for 
this trojan. Even flagging a gif image:
http://forum.avast.com/index.php?topic=45730.msg383138#msg383138

So I wouldn't worry about finding it, but more about informing your users that 
there is no trojan on the site and that they should complain with avast about 
this issue.
You could ask visitors to try and identify the file that sets off this false 
positive. Procedure for that is described in above post.
-- 
Mel