The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Are these real trojans?

Discussion in 'General Discussion' started by pingo, Sep 12, 2003.

  1. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    I learned from another thread that .pyc files are cpanel files and not trojans. But what about the other files I found in the scan?:

    Possible Trojan - /usr/bin/GET
    Possible Trojan - /usr/bin/HEAD
    Possible Trojan - /usr/bin/POST
    Possible Trojan - /usr/bin/lwp-download
    Possible Trojan - /usr/bin/lwp-mirror
    Possible Trojan - /usr/bin/lwp-request
    Possible Trojan - /usr/bin/lwp-rget
    Possible Trojan - /usr/bin/h2ph
    Possible Trojan - /usr/bin/h2xs
    Possible Trojan - /usr/bin/pod2latex
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2text
    Possible Trojan - /usr/bin/pod2usage
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/podselect
    Possible Trojan - /usr/bin/s2p
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/curl-config
    Possible Trojan - /usr/lib/python1.5/site-packages/cgiwrap.pyc
    Possible Trojan - /usr/lib/python1.5/site-packages/xmlrpclib.pyc
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/share/rhn/register/config.pyc
    Possible Trojan - /usr/share/rhn/register/configUtils.pyc
    Possible Trojan - /usr/share/rhn/register/rhnreg.pyc
    Possible Trojan - /usr/share/rhn/register/text_config.pyc
    Possible Trojan - /usr/share/rhn/register/translate.pyc

    26 POSSIBLE Trojans Detected

    Do I have a problem?

    Thanks
    John

    cPanel.net Support Ticket Number:
     
  2. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    One way to find out is to find out which RPM package they are a part of then verify if that package is still intact.

    # rpm -qf `which /path/to/file`

    That will give you the package it's a part of. Note those are not quotes, they are tick marks. You get them by pushing the button left of the #1 button. It should be the tilda (~) without the shift. The tick marks tell the shell to parse that command first.

    Then

    # rpm -V packagename

    For example. If I query the /usr/bin/lwp-rget file, I get this.

    # rpm -qf `which /usr/bin/lwp-rget`
    perl-libwww-perl-5.65-6

    Then I verify if the perl-libwww-perl package is still intact (as far as the RPM database is concerned).

    # rpm -V perl-libwww-perl
    S.5....T /usr/bin/lwp-rget
    missing /usr/lib/perl5/vendor_perl/5.8.0/HTML/Form.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/HTTP/Cookies.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/HTTP/Daemon.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/HTTP/Headers.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/HTTP/Headers/Util.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/LWP.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/LWP/Protocol/http.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/LWP/RobotUA.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/LWP/Simple.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/LWP/UserAgent.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/Net/HTTP.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/Net/HTTP/Methods.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/Net/HTTPS.pm
    missing /usr/lib/perl5/vendor_perl/5.8.0/WWW/RobotRules.pm

    That means the package is not intact, and you should uninstall it and reinstall the package.

    Uninstall
    # rpm -e --nodeps package
    Install
    # rpm -Uhv package.rpm

    That way you know for sure if the file is a trojan or not.

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  3. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    When I try to install the package.rpm, it says no file or dir.
     
  4. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    package should be replaced by the name of the package needing reinstalling.

    Say the package perl-libwww-perl-5.65-6 needed to be reinstalled. You first need the rpm for perl-libwww-perl-5.65-6. Then you uninstall perl-libwww-perl-5.65-6 by the command

    # rpm -e perl-libwww-perl

    Note the version number is not needed. If you get errors about dependencies, do

    # rpm -e --nodeps perl-libwww-perl

    Then reinstall using the rpm.

    # rpm -Uhv perl-libwww-perl-5.65-6.rpm

    If perl-libwww-perl-5.65-6.rpm is the name of the file.
     
  5. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Oh, I need to download it first. I see. I was hoping that it would autodownload like in whm. Ok, thanks!
     
  6. cptsanity

    cptsanity Registered

    Joined:
    Jan 22, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Why doesn't cPanel script the integrity check against the originally installed files so that it doesn't require a manual check? Is there some sort of hidden issue? You would think that it would be pretty straight forward considering some of the other features of the product..
     
Loading...

Share This Page