HELP,HELP Trojan Horses Detected by (WHM)

**xxgchappy** · 06-12-2004 06:49 AM

Hidden Pid detected! [pid 143]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/adjkerntz]

Hidden Pid detected! [pid 266]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/syslogd]

Hidden Pid detected! [pid 359]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/usbd]

Hidden Pid detected! [pid 408]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/sshd]

Hidden Pid detected! [pid 426]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/cron]

Hidden Pid detected! [pid 446]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 474]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/bin/perl]

Hidden Pid detected! [pid 479]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/libexec/proftpd]

Hidden Pid detected! [pid 584]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/cpanel/3rdparty/bin/melange]

Hidden Pid detected! [pid 595]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/bin/sh]

Hidden Pid detected! [pid 636]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 637]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 638]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 639]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 640]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

I use freebsd ,Please tell me how to do next?

help,help!!

**dandanfireman** · 06-12-2004 07:07 AM

Based on the processes listed, I am guessing this is a FreeBSD box. I have seen a similar occurance on FreeBSD, they are false positives.

**xxgchappy** · 06-12-2004 07:15 AM

Please tell me what to do next ?
Do i need rebuild my freebsd system or only kernal?

**nyjimbo** · 06-12-2004 07:48 AM

I've never seen this sort of thing. How is it that WHM alerted you to it, did you run something ??.

**xxgchappy** · 06-12-2004 08:58 AM

I run nothing.

**xxgchappy** · 06-12-2004 09:57 AM

Please tell me how to solve it!!

**nyjimbo** · 06-12-2004 10:02 AM

Do you have console access, can you run a "ps ax" and see if those are normal tasks.

Since the thing is giving you the PIDs, if you do a "ps ax" and see those pids and they show the programs as listed in the warning then they cant be hidden from ps and then all you have to do is go see some of the date stamps of those files, if they match the rest of most of the binaries chances are you are seeing a false positive as the other poster mentioned.

**xxgchappy** · 06-12-2004 10:38 AM

I run chkrootkit ,found 17 process hidden form ps
,and also warn my server mey have rootkit.

LinkBack

Thread Tools

HELP,HELP Trojan Horses Detected by (WHM)

'Trojan Horses Detected by WHM' - Real or Not

Trojan Horses Detected by (WHM)

Trojan Horses Detected by (WHM)

Trojan Horses Detected by (WHM)

Trojan Horses Detected by (WHM)... ?