Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

hacked or false positives?

Discussion in 'General Discussion' started by elleryjh, Jan 17, 2005.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    166
    Can someone please help me read the output from chkrootkit and Scan for Trojans? Thanks in advance!


    From chkrootkit:
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'...
    You have 1 process hidden for readdir command
    You have 1 process hidden for ps command
    Warning: Possible LKM Trojan installed

    From WHM's Scan for Trojan Horses:
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/bin/curl-config
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/sa-learn
    Possible Trojan - /usr/bin/spamassassin
    Possible Trojan - /usr/bin/spamc
    Possible Trojan - /usr/bin/spamd
    11 POSSIBLE Trojans Detected
     
    #1 elleryjh, Jan 17, 2005
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Most likely all false positives. Grab rkhunter and check the (more reliable) output from it.
    http://www.rootkit.nl/
     
    #2 sawbuck, Jan 17, 2005
  3. dr2web

    dr2web Active Member

    Joined:
    Jan 14, 2005
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    156
    Just in case anyone reads this... I had the exact same problem from chkrootkit...

    I installed rkhunter and it was indeed a false positive...

    Install rkhunter it is alot cleaner and more accurate.
     
    #3 dr2web, Mar 7, 2005
  4. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    166
    cPanel Access Level:
    DataCenter Provider
    And updated more often, which is important in such a tool.

    Don't forget to "show the love" to the author by buying him something on his Amazon wishlist. He's a good guy and very responsive.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 Aric1, Mar 7, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked false positives
  1. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    1,036
    cPanelMichael
    Mar 15, 2018
  2. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,645
    Jcats
    Jun 23, 2017
  3. Skin

    Apache Symlink Protection False positive?

    Skin, Jun 6, 2018, in forum: Security
    Replies:
    3
    Views:
    206
    cPanelLauren
    Jun 6, 2018
  4. Adrianmcg85

    Puppeteer.launch headless:false in options with argv

    Adrianmcg85, May 10, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    199
    cPanelMichael
    May 10, 2018
  5. deanhills

    "False" disk usage e-mail notification

    deanhills, Apr 23, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    173
    cPanelLauren
    Apr 23, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice