Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disabling "Trojan Horses Detected" daily e-mail

Discussion in 'Security' started by PlasmaAu, Nov 5, 2011.

  1. PlasmaAu

    PlasmaAu Registered

    Joined:
    Nov 5, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    I am receiving daily "Trojan Horses Detected" e-mails from WHM.

    The results are false positives, and other people on this forum indicate that the scanner is useless.

    How do I disable this daily false positive check from being done by WHM?

    Others say to disable it, but I don't see an option in WHM, or a suitable entry in cron to comment out.

    Thanks,
    Andrew
     
    #1 PlasmaAu, Nov 5, 2011
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,741
    Likes Received:
    456
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you please post the contents of that email to peek at?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Infopro, Nov 5, 2011
  3. PlasmaAu

    PlasmaAu Registered

    Joined:
    Nov 5, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Sure.

    Subject:
    Body:
    Thank you
     
    #3 PlasmaAu, Nov 5, 2011
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,741
    Likes Received:
    456
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    WHM does not by default send out this email that I'm aware of although it does have a tool for checking. You might ask your server provider if they've added this to alert you.
    You might also check here:
    /var/spool/cron/root
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 Infopro, Nov 5, 2011
  5. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Hello Andrew ,

    You might have been hacked. Please scan your server with chkrootkit and if scan report shows infected binaries then it is recommended to take the backup of your data.

    You can also reinstall your server with fresh operating system.

    Regards

    Mohammed
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 storminternet, Nov 5, 2011
  6. PlasmaAu

    PlasmaAu Registered

    Joined:
    Nov 5, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi Infopro,

    I tracked down the instigator of this e-mail to this command:
    /usr/local/cpanel/bin/dcpumon --killproc

    This (wrongly) detects mysqld and other standard services as trojans, and fires off an e-mail to me every day.

    It's instantiated because its listed in /scripts/maintenance:
    I have now commented this call out. This maintenance script file was executed by /scripts/upcp --cron which is run via cron once daily (root's crontab):
    storminternet,

    Thanks for the concern, but I am positive I have not been hacked -- the VPS was locked away from the internet, and the services it complains about are all valid and not at all dangerous.

    Additionally, others on this and other forums suggest that this trojan detector is very broken (http://forums.cpanel.net/f5/disable-limit-trojan-detection-54249.html and Trojan Horses Detected by (WHM) on server.domain.com - Web Hosting Talk and Trojan Horses Detected by WHM - Web Hosting Talk)

    Regards,
    Andrew
     
    #6 PlasmaAu, Nov 6, 2011
  7. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Hello Andrew,

    Thank you for sharing this valuable information.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 storminternet, Nov 7, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - Disabling Trojan Horses
  1. orvn

    Disabling several mod_security rules due to 403 response to POST request?

    orvn, Feb 16, 2019, in forum: EasyApache
    Replies:
    6
    Views:
    115
    cPanelMichael
    Feb 22, 2019
  2. benhuragmf

    Disabling NetworkManager Issue

    benhuragmf, Nov 21, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    360
    cPanelLauren
    Nov 21, 2018
  3. Stephen Bignell

    SOLVED [CPANEL-23906] Disabling FTP server removes FTP Server Selection from WHM UI

    Stephen Bignell, Nov 11, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    376
    cPanelMichael
    Nov 30, 2018
  4. dr_lucas

    SOLVED Mariadb 10.2 - Disabling Strict Mode

    dr_lucas, Aug 9, 2018, in forum: Database Discussion
    Replies:
    15
    Views:
    2,787
    cPanelMichael
    Aug 20, 2018
  5. Remitur

    Disabling local delivery, forcing the use of external DNS?

    Remitur, Jul 6, 2018, in forum: E-mail Discussion
    Replies:
    4
    Views:
    267
    cPanelLauren
    Jul 9, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice