mrcancel

Registered
Jun 4, 2007
1
0
151
Hello,
Sorry for my english and my newbie !
I have proceed scan for trojans on WHM and result below :
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /usr/sbin/packer
Please help me explain them for me ! They are trojans or not ???
Thanks you !
 

DaemonLee

Member
Jul 8, 2005
5
0
151
It very much is, junk.


I 2nd the recommendations on chrootkit and rkhunter. Please use the aforementioned and then get back to us.
 

Daniel15

Well-Known Member
Oct 7, 2006
86
1
156
Palo Alto, CA (originally Melbourne, Australia)
cPanel Access Level
Website Owner
Twitter
Yep, it's definitely junk... Here's what it returned for me:
Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain

Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/sbin/packer
None of those files are trojans, I checked them myself.

Please please please, don't say that, its not JUNK, at least it doesnt return a BLANK PAGE.
Yep, those dots it returns are quite useful :P
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
The reason you get so many false-positives is that you have OS vendor installed rpms which cPanel overwrites with copies compiled from source. The Trojan function simply performs an rpm -V on the rpm database and reports the inconsistencies that this causes.

For that reason, it isn't that much practical use and you're better off using a tool that monitors for binary/library file changes.