The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked

Discussion in 'General Discussion' started by pcdior, Feb 5, 2005.

  1. pcdior

    pcdior Active Member

    Joined:
    Aug 1, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    This turned up in a chkrootkit lkm trojan hidden processes, this box has only one large site, heavy msql, nothing else strange is going on, rkhunter showing everything ok, is this a compromise?

    ### Output of: ./chkproc -v -v -p 1
    ###
    PID 11629(/proc/11629): not in readdir output
    PID 11629: not in ps output
    CWD 11629: /var/named
    EXE 11629: /usr/sbin/named
    PID 11630(/proc/11630): not in readdir output
    PID 11630: not in ps output
    CWD 11630: /var/named
    EXE 11630: /usr/sbin/named
    PID 11631(/proc/11631): not in readdir output
    PID 11631: not in ps output
    CWD 11631: /var/named
    EXE 11631: /usr/sbin/named
    PID 11632(/proc/11632): not in readdir output
    PID 11632: not in ps output
    CWD 11632: /var/named
    EXE 11632: /usr/sbin/named
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Probably fine. On servers with lots of children being created and dying (e.g. apache, mysql, exim, MailScanner, etc) you will frequently get differences from the output as they are created and die within the time it takes chkrootkit to run. If rkhunter is running fine, and you've checked other things (netstat -lpn / pstree and such) I wouldn't worry.
     
  3. pcdior

    pcdior Active Member

    Joined:
    Aug 1, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Chirpy!
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page