Disabling "Trojan Horses Detected" daily e-mail

PlasmaAu

Registered
Nov 5, 2011
3
0
51
cPanel Access Level
Root Administrator
Hi,

I am receiving daily "Trojan Horses Detected" e-mails from WHM.

The results are false positives, and other people on this forum indicate that the scanner is useless.

How do I disable this daily false positive check from being done by WHM?

Others say to disable it, but I don't see an option in WHM, or a suitable entry in cron to comment out.

Thanks,
Andrew
 

PlasmaAu

Registered
Nov 5, 2011
3
0
51
cPanel Access Level
Root Administrator
Sure.

Subject:
Trojan Horses Detected by (WHM) on xxx.com
Body:
Hidden Pid detected! [pid 1799]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]


Hidden Pid detected! [pid 1800]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]


Hidden Pid detected! [pid 1820]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1821]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1822]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1823]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1824]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1825]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]


Hidden Pid detected! [pid 1926]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1927]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1928]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1929]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1931]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1932]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1933]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1934]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 1935]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]


Hidden Pid detected! [pid 2461]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]
Thank you
 

PlasmaAu

Registered
Nov 5, 2011
3
0
51
cPanel Access Level
Root Administrator
Hi Infopro,

I tracked down the instigator of this e-mail to this command:
/usr/local/cpanel/bin/dcpumon --killproc

This (wrongly) detects mysqld and other standard services as trojans, and fires off an e-mail to me every day.

It's instantiated because its listed in /scripts/maintenance:
$action{'cmd'} = [ '/usr/local/cpanel/bin/dcpumon', '--killproc' ];
process( \%action );
I have now commented this call out. This maintenance script file was executed by /scripts/upcp --cron which is run via cron once daily (root's crontab):
56 4 * * * /usr/local/cpanel/scripts/upcp --cron
storminternet,

Thanks for the concern, but I am positive I have not been hacked -- the VPS was locked away from the internet, and the services it complains about are all valid and not at all dangerous.

Additionally, others on this and other forums suggest that this trojan detector is very broken (http://forums.cpanel.net/f5/disable-limit-trojan-detection-54249.html and Trojan Horses Detected by (WHM) on server.domain.com - Web Hosting Talk and Trojan Horses Detected by WHM - Web Hosting Talk)

Regards,
Andrew