The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP,HELP Trojan Horses Detected by (WHM)

Discussion in 'General Discussion' started by xxgchappy, Jun 12, 2004.

  1. xxgchappy

    xxgchappy Member

    Joined:
    Apr 29, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hidden Pid detected! [pid 143]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/adjkerntz]

    Hidden Pid detected! [pid 266]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/syslogd]

    Hidden Pid detected! [pid 359]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/usbd]

    Hidden Pid detected! [pid 408]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/sshd]

    Hidden Pid detected! [pid 426]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/cron]

    Hidden Pid detected! [pid 446]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/named]

    Hidden Pid detected! [pid 474]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/bin/perl]

    Hidden Pid detected! [pid 479]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/libexec/proftpd]

    Hidden Pid detected! [pid 584]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/cpanel/3rdparty/bin/melange]

    Hidden Pid detected! [pid 595]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/bin/sh]

    Hidden Pid detected! [pid 636]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/libexec/getty]

    Hidden Pid detected! [pid 637]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/libexec/getty]

    Hidden Pid detected! [pid 638]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/libexec/getty]

    Hidden Pid detected! [pid 639]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/libexec/getty]

    Hidden Pid detected! [pid 640]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/libexec/getty]




    I use freebsd ,Please tell me how to do next?

    help,help!!
     
  2. dandanfireman

    dandanfireman Well-Known Member
    PartnerNOC

    Joined:
    May 31, 2002
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Based on the processes listed, I am guessing this is a FreeBSD box. I have seen a similar occurance on FreeBSD, they are false positives.
     
  3. xxgchappy

    xxgchappy Member

    Joined:
    Apr 29, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Please tell me what to do next ?
    Do i need rebuild my freebsd system or only kernal?
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I've never seen this sort of thing. How is it that WHM alerted you to it, did you run something ??.
     
  5. xxgchappy

    xxgchappy Member

    Joined:
    Apr 29, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I run nothing.
     
  6. xxgchappy

    xxgchappy Member

    Joined:
    Apr 29, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Please tell me how to solve it!!

    :confused: :confused: :confused:
     
  7. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Do you have console access, can you run a "ps ax" and see if those are normal tasks.

    Since the thing is giving you the PIDs, if you do a "ps ax" and see those pids and they show the programs as listed in the warning then they cant be hidden from ps and then all you have to do is go see some of the date stamps of those files, if they match the rest of most of the binaries chances are you are seeing a false positive as the other poster mentioned.
     
  8. xxgchappy

    xxgchappy Member

    Joined:
    Apr 29, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I run chkrootkit ,found 17 process hidden form ps
    ,and also warn my server mey have rootkit.
     
Loading...

Share This Page