The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Are These Actual Trojans?

Discussion in 'General Discussion' started by prettydumb, Sep 1, 2007.

  1. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    This is the message I received which leads me to this question:

    /var/www/mrtg/tcp.log


    /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
    INFECTED (PORTS: 465)
    You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed

    I ran a scan to see if there might be trojans on my system and found the following:

    Does anyone recognize if these files are suppose to be in the system?

    17 POSSIBLE Trojans Detected
    Possible Trojan - /etc/crondaily/logrotate
    Possible Trojan - /etc/initd/exim
    Possible Trojan - /usr/bin/cpan
    Possible Trojan - /usr/bin/instmodsh
    Possible Trojan - /usr/bin/logchecksh
    Possible Trojan - /usr/bin/pear
    Possible Trojan - /usr/bin/prove
    Possible Trojan - /usr/bin/psed
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/s2p
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/sbin/antirelayd
    Possible Trojan - /usr/sbin/diskdumpctl_proc
    Possible Trojan - /usr/sbin/packer
    Possible Trojan - /usr/sbin/pureauth
    Possible Trojan - /usr/sbin/savecore

    =============

    Here is the script for "instmodsh"

    =============

    #!/usr/bin/perl -w

    eval 'exec /usr/bin/perl -w -S $0 ${1+"$@"}'
    if 0; # not running under some shell

    use strict;
    use IO::File;
    use ExtUtils::Packlist;
    use ExtUtils::Installed;

    use vars qw($Inst @Modules);


    =head1 NAME

    instmodsh - A shell to examine installed modules

    =head1 SYNOPSIS

    instmodsh

    =head1 DESCRIPTION

    A little interface to ExtUtils::Installed to examine installed modules,
    validate your packlists and even create a tarball from an installed module.

    =head1 SEE ALSO

    ExtUtils::Installed

    =cut


    my $Module_Help = <<EOF;
    Available commands are:
    f [all|prog|doc] - List installed files of a given type
    d [all|prog|doc] - List the directories used by a module
    v - Validate the .packlist - check for missing files
    t <tarfile> - Create a tar archive of the module
    h - Display module help
    q - Quit the module
    EOF

    my %Module_Commands = (
    f => \&list_installed,
    d => \&list_directories,
    v => \&validate_packlist,
    t => \&create_archive,
    h => \&module_help,
    );

    sub do_module($) {
    my ($module) = @_;

    print($Module_Help);
    MODULE_CMD: while (1) {
    print("$module cmd? ");

    my $reply = <STDIN>; chomp($reply);
    my($cmd) = $reply =~ /^(\w)\b/;

    last if $cmd eq 'q';

    if( $Module_Commands{$cmd} ) {
    $Module_Commands{$cmd}->($reply, $module);
    }
    elsif( $cmd eq 'q' ) {
    last MODULE_CMD;
    }
    else {
    module_help();
    }
    }
    }


    sub list_installed {
    my($reply, $module) = @_;

    my $class = (split(' ', $reply))[1];
    $class = 'all' unless $class;

    my @files;
    if (eval { @files = $Inst->files($module, $class); }) {
    print("$class files in $module are:\n ",
    join("\n ", @files), "\n");
    }
    else {
    print($@);
    }
    };


    sub list_directories {
    my($reply, $module) = @_;

    my $class = (split(' ', $reply))[1];
    $class = 'all' unless $class;

    my @dirs;
    if (eval { @dirs = $Inst->directories($module, $class); }) {
    print("$class directories in $module are:\n ",
    join("\n ", @dirs), "\n");
    }
    else {
    print($@);
    }
    }


    sub create_archive {
    my($reply, $module) = @_;

    my $file = (split(' ', $reply))[1];

    if( !(defined $file and length $file) ) {
    print "No tar file specified\n";
    }
    elsif( eval { require Archive::Tar } ) {
    Archive::Tar->create_archive($file, 0, $Inst->files($module));
    }
    else {
    my($first, @rest) = $Inst->files($module);
    system('tar', 'cvf', $file, $first);
    for my $f (@rest) {
    system('tar', 'rvf', $file, $f);
    }
    print "Can't use tar\n" if $?;
    }
    }


    sub validate_packlist {
    my($reply, $module) = @_;

    if (my @missing = $Inst->validate($module)) {
    print("Files missing from $module are:\n ",
    join("\n ", @missing), "\n");
    }
    else {
    print("$module has no missing files\n");
    }
    }

    sub module_help {
    print $Module_Help;
    }



    ##############################################################################

    sub toplevel()
    {
    my $help = <<EOF;
    Available commands are:
    l - List all installed modules
    m <module> - Select a module
    q - Quit the program
    EOF
    print($help);
    while (1)
    {
    print("cmd? ");
    my $reply = <STDIN>; chomp($reply);
    CASE:
    {
    $reply eq 'l' and do
    {
    print("Installed modules are:\n ", join("\n ", @Modules), "\n");
    last CASE;
    };
    $reply =~ /^m\s+/ and do
    {
    do_module((split(' ', $reply))[1]);
    last CASE;
    };
    $reply eq 'q' and do
    {
    exit(0);
    };
    # Default
    print($help);
    }
    }
    }


    ###############################################################################

    $Inst = ExtUtils::Installed->new();
    @Modules = $Inst->modules();
    toplevel();

    ###############################################################################




    Shaking in my pant and feeling like my name.
     
    #1 prettydumb, Sep 1, 2007
    Last edited: Sep 1, 2007
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    One thing I've noticed about those trojan scanners is that is seems to thing every file with a funny name is a hack. Running a cPanel update changes some of the binaries, so it makes those trojan scanners think the files have been altered illegitimately.

    Most of the files in that list I recognize, but you might want to break out the google to check the other ones to see what they are.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Someone correct me if I'm wrong, but that message you get can be safely ignored. I've asked about this before and was given the message I just passed onto you. ;)
     
  4. Boriskag

    Boriskag Well-Known Member

    Joined:
    Apr 8, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Old thread, but I get the same messages, on a fresh cPanel install, so I guess it's nothing to worry about.
     
Loading...

Share This Page