False Positives in "Quick Security" and "Trojan Horse" Scan

dwh2

Well-Known Member
Jan 14, 2004
106
0
166
The Trojan Horse scan shows a lot of false positives. Since I don't know which are false pos and which might be a trojan, and I'm sure many are in the same boat, I thought I'd start a definitive thread where people can post items that show up in their scan and we can confirm which items are false positives and which aren't. If the forum admin is willing to sticky this one, it can turn the trojan scan from something that isn't very useful and a bit frustrating, back into a great help for security purposes.

I will put here what items are appearing in my scan. If you see something in your scan that isn't in mine, reply with your item. Thank you.

Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/bin/sa-learn
Possible Trojan - /usr/bin/spamassassin
Possible Trojan - /usr/bin/spamc
Possible Trojan - /usr/bin/spamd
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/bin/curl-config

---
That's my list. Most if not all of these are coming from the extras I configured in apache.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
31
473
Go on, have a guess
They'll be completely different on every server by the nature of what is wrong with the Trojan scanner, so there'd be no point in posting them.

Simply put, don't use it. Instead use the other recommended tools when looking for rootkit compromises (rkhunter and chkrootkit - do a search on the forums).