Trojan Horses Detected by (WHM)... ?
We're starting to see this from one of our servers...
Hidden Pid detected! [pid 334]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/init2.4.18 (deleted)]
chkrootkit reports nothing other than the standard Port 465 error due to PortSentry. Is there something we should be looking for? Has anyone run into this before?
Thanks - Brian
Try this. In ssh type init
You should this, Usage: init 0123456SsQqAaBbCcUu
If you see other wise the system has been comprimised. The init file you'll probably end up seeing will have an option to unhide pids etc...
Check there first.
Also another really simple way to catch the kiddie hackers, is to grep through /usr/bin /usr/sbin /bin /sbin lookinf for the work "****************" all in caps. That is one of the strings found in a lot of hackers programs.
That would be the start.
Regards,
David
Forum Moderator
Also check in /usr/man for a hidden directory, I think it was called .sman
Regards,
David
Forum Moderator
No hidden directories, at least not there. I also looked in /dev - as I've seen script kiddies use that folder too.Originally posted by dgbaker
Also check in /usr/man for a hidden directory, I think it was called .sman
Also, init produces the correct output when run, and no hidden processes...
I wonder if this could be a CPanel bug or something?
Thanks - Brian
LinkBack URL
About LinkBacks
Reply With Quote