HELP,HELP Trojan Horses Detected by (WHM)

xxgchappy

Member
Apr 29, 2004
9
0
151
Hidden Pid detected! [pid 143]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/adjkerntz]

Hidden Pid detected! [pid 266]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/syslogd]

Hidden Pid detected! [pid 359]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/usbd]

Hidden Pid detected! [pid 408]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/sshd]

Hidden Pid detected! [pid 426]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/cron]

Hidden Pid detected! [pid 446]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 474]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/bin/perl]

Hidden Pid detected! [pid 479]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/libexec/proftpd]

Hidden Pid detected! [pid 584]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/local/cpanel/3rdparty/bin/melange]

Hidden Pid detected! [pid 595]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/bin/sh]

Hidden Pid detected! [pid 636]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 637]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 638]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 639]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]

Hidden Pid detected! [pid 640]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/libexec/getty]




I use freebsd ,Please tell me how to do next?

help,help!!
 

dandanfireman

Well-Known Member
PartnerNOC
May 31, 2002
117
0
316
Based on the processes listed, I am guessing this is a FreeBSD box. I have seen a similar occurance on FreeBSD, they are false positives.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
I've never seen this sort of thing. How is it that WHM alerted you to it, did you run something ??.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Do you have console access, can you run a "ps ax" and see if those are normal tasks.

Since the thing is giving you the PIDs, if you do a "ps ax" and see those pids and they show the programs as listed in the warning then they cant be hidden from ps and then all you have to do is go see some of the date stamps of those files, if they match the rest of most of the binaries chances are you are seeing a false positive as the other poster mentioned.
 
Thread starter Similar threads Forum Replies Date
M Security 2
V Security 1
P Security 3
E Security 19
S Security 3