The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

False Positives in "Quick Security" and "Trojan Horse" Scan

Discussion in 'Security' started by dwh2, Apr 29, 2005.

  1. dwh2

    dwh2 Well-Known Member

    Joined:
    Jan 14, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    The Trojan Horse scan shows a lot of false positives. Since I don't know which are false pos and which might be a trojan, and I'm sure many are in the same boat, I thought I'd start a definitive thread where people can post items that show up in their scan and we can confirm which items are false positives and which aren't. If the forum admin is willing to sticky this one, it can turn the trojan scan from something that isn't very useful and a bit frustrating, back into a great help for security purposes.

    I will put here what items are appearing in my scan. If you see something in your scan that isn't in mine, reply with your item. Thank you.

    Appears Clean
    /dev/stderr
    Scanning for Trojan Horses.....
    Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
    Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
    Possible Trojan - /usr/bin/xml2-config
    Possible Trojan - /usr/lib/libxml2.la
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/xmlcatalog
    Possible Trojan - /usr/bin/xmllint
    Possible Trojan - /usr/bin/xsltproc
    Possible Trojan - /usr/bin/sa-learn
    Possible Trojan - /usr/bin/spamassassin
    Possible Trojan - /usr/bin/spamc
    Possible Trojan - /usr/bin/spamd
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2usage
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/podselect
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/bin/curl-config

    ---
    That's my list. Most if not all of these are coming from the extras I configured in apache.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They'll be completely different on every server by the nature of what is wrong with the Trojan scanner, so there'd be no point in posting them.

    Simply put, don't use it. Instead use the other recommended tools when looking for rootkit compromises (rkhunter and chkrootkit - do a search on the forums).
     
Loading...

Share This Page