The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Are these trojans

Discussion in 'General Discussion' started by shanit, Jul 18, 2006.

  1. shanit

    shanit Well-Known Member

    Joined:
    Dec 18, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I understand there are false positives but I'm curious about any of these cause I had issues recently with someone getting in to my server deleting everything and I thought maybe they installed something, any help is totally appreciated.


    found on Brand new Server no accounts but my main domain
    Possible Trojan - /usr/bin/curl-config
    Possible Trojan - /usr/bin/cpan
    Possible Trojan - /usr/bin/instmodsh
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/lib/libcurl.so.3.0.0

    found on orginal server which had been hacked in to and almost all deleted.
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2usage
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/podselect
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp


    thought maybe they installed something to get in there again or something. who knows it was just totally mean though my sons site from birth til current was on there over 5 gigs of space I was crushed. I didnt back it up cause it was huge and never downloaded fully. anyways thanks guys for looking here and reading and possibly helping

    Shannon
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Highly unlikly, but impossible to tell - which is why the tool in WHM is useless. You should try running rkhunter and chkrootkit instead and see if they run cleanly.

    If you really want to dig deeper, then you need to identify the rpm each files uses, e.g.:

    rpm -f /usr/bin/curl

    Then this is basically all the Trojan thingy does:

    rpm -V <package-name>

    Which will give you a nice cryptic response which you can understand through the rpm man page (which is fun in itself).

    I'd suggest just going with the tools I mentioned, though.
     

Share This Page