J.Fordmast
May 11th, 2006, 08:18 PM
Are webhosts installing rootkits?
I was doing some research recently on which webhost I want to host my website. After I was finished for the day I ran a Webroot Spysweeper scan. It picked up 4 potential system monitor/rootkit files that I had obtained from the following sites:
alwayswebhosting_com -- premium quality, super fast, and super friendly cpanel hosting! v102.mht (ID = 0)
site5 web hosting - affordable ecommerce, email, business, domain and web hosting plan comparisons.mht (ID = 0)
ion hosting - affordable web hosting, front page, cpanel, plesk, reseller, ecommerce2.htm (ID = 0)
cpanel web hosting - cpanel reseller hosting - linux web hosting - fantastico - rvskin - unlimited domains.mht (ID = 0)
(This is how they appeared in my Spysweeper session log.)
When I tried to quarantine the files, it said they were in use and couldn’t be removed without a reboot. The reboot successfully removed them.
I wonder if anybody can duplicate these findings. If you’re curious, I’m running Windows XP, Internet Explorer with active scripting enabled. Visit these sites and save a few pages as Web archive single file (*.mht). Then later click on these files and open them up. Close them and then run a Webroot Spysweeper scan. (P.S. I wasn’t connected to the internet when I ran the scan.) Thanks!
I was doing some research recently on which webhost I want to host my website. After I was finished for the day I ran a Webroot Spysweeper scan. It picked up 4 potential system monitor/rootkit files that I had obtained from the following sites:
alwayswebhosting_com -- premium quality, super fast, and super friendly cpanel hosting! v102.mht (ID = 0)
site5 web hosting - affordable ecommerce, email, business, domain and web hosting plan comparisons.mht (ID = 0)
ion hosting - affordable web hosting, front page, cpanel, plesk, reseller, ecommerce2.htm (ID = 0)
cpanel web hosting - cpanel reseller hosting - linux web hosting - fantastico - rvskin - unlimited domains.mht (ID = 0)
(This is how they appeared in my Spysweeper session log.)
When I tried to quarantine the files, it said they were in use and couldn’t be removed without a reboot. The reboot successfully removed them.
I wonder if anybody can duplicate these findings. If you’re curious, I’m running Windows XP, Internet Explorer with active scripting enabled. Visit these sites and save a few pages as Web archive single file (*.mht). Then later click on these files and open them up. Close them and then run a Webroot Spysweeper scan. (P.S. I wasn’t connected to the internet when I ran the scan.) Thanks!