Are these trojans

[shanit]

I understand there are false positives but I'm curious about any of these cause I had issues recently with someone getting in to my server deleting everything and I thought maybe they installed something, any help is totally appreciated.


found on Brand new Server no accounts but my main domain
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0

found on orginal server which had been hacked in to and almost all deleted.
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp


thought maybe they installed something to get in there again or something. who knows it was just totally mean though my sons site from birth til current was on there over 5 gigs of space I was crushed. I didnt back it up cause it was huge and never downloaded fully. anyways thanks guys for looking here and reading and possibly helping

Shannon

 

[chirpy]

Highly unlikly, but impossible to tell - which is why the tool in WHM is useless. You should try running rkhunter and chkrootkit instead and see if they run cleanly.

If you really want to dig deeper, then you need to identify the rpm each files uses, e.g.:

rpm -f /usr/bin/curl

Then this is basically all the Trojan thingy does:

rpm -V <package-name>

Which will give you a nice cryptic response which you can understand through the rpm man page (which is fun in itself).

I'd suggest just going with the tools I mentioned, though.