The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hidden Pid detected!

Discussion in 'General Discussion' started by bhznat, Feb 14, 2005.

  1. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    below I have added a part of /scripts/upcp report. can anyone explain what is this and how to resolve the problem???


    ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 1]
    hidden from ps: [yes]
    binary location: [/sbin/init]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 2658]
    hidden from ps: [yes]
    binary location: [/usr/bin/php]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 3638]
    hidden from ps: [yes]
    binary location: [/usr/local/apache/bin/httpd]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4266]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4267]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4268]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4269]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4279]
    hidden from ps: [yes]
    binary location: [/usr/sbin/sshd]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4286]
    hidden from ps: [yes]
    binary location: [/usr/sbin/kernel]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4301]
    hidden from ps: [yes]
    binary location: [/usr/sbin/xinetd]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4319]
    hidden from ps: [yes]
    binary location: [/usr/bin/perl]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4377]
    hidden from ps: [yes]
    binary location: [/usr/sbin/clamd]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4383]
    hidden from ps: [yes]
    binary location: [/usr/sbin/exim]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4387]
    hidden from ps: [yes]
    binary location: [/usr/sbin/exim]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4394]
    hidden from ps: [yes]
    binary location: [/usr/bin/perl]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4443]
    hidden from ps: [yes]
    binary location: [/usr/bin/perl]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4458]
    hidden from ps: [yes]
    binary location: [/usr/sbin/crond]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4467]
    hidden from ps: [yes]
    binary location: [/bin/bash]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4565]
    hidden from ps: [yes]
    binary location: [/usr/sbin/mysqld]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4594]
    hidden from ps: [yes]
    binary location: [/usr/local/cpanel/bin/cppop]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4614]
    hidden from ps: [yes]
    binary location: [/usr/sbin/mysqld]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4615]
    hidden from ps: [yes]
    binary location: [/usr/sbin/mysqld]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Done
    Hidden Pid detected! [pid 4616]
    hidden from ps: [yes]
    binary location: [/usr/sbin/mysqld]

    Rebuilding Process List...ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    Attempted to build process list more then 25 times! at bin/dcpumon.pl line 498.
    Done
    Hidden Pid detected! [pid 4620]
    hidden from ps: [yes]
    binary location: [/usr/sbin/mysqld]

    Scanning.....Done
    Scanning.....Done
    Scanning.....Done
    Scanning.....Done
     
  2. AdminWAY

    AdminWAY Member

    Joined:
    Feb 15, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I would suggest downloading and installing RootKit Hunter and running it on the server to be sure that there is nothing wrong. After you install it do not forget to update it by running rkhunter --update

    If you are not comfortable with doing it you should have a professional do it for you.
     
  3. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Thank you AdminWay. I have already chkrootkit installed on system. below is latest report of chkrootkit. I have read on forums that bindshell: 465 is false positive result and not to worry about this. but the line (Possible RH-Sharpe's rootkit installed), I have not found any post related to this on forums. can you please suggest me what to do, and if any post or article related to RH-Sharpe's rootkit you know???
    I'm using RH9.


    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not infected
    Checking `gpm'... not infected
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not tested
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not infected
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not infected
    Checking `rshd'... not infected
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not infected
    Checking `timed'... not found
    Checking `traceroute'... not infected
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'...
    /dev/tmpMnt
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... Possible RH-Sharpe's rootkit installed
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...

    ....(lines removed)

    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for HKRK rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for anomalies in shell history files... Warning: `//backup/root/.mysql_history
    //drivebkp/root/.mysql_history' file size is zero
    nothing found
    Checking `asp'... not infected
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 1 process hidden for ps command
    Warning: Possible LKM Trojan installed
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
    eth0:4: not promisc and no PF_PACKET sockets
    eth0:9: not promisc and no PF_PACKET sockets
    eth0:1: not promisc and no PF_PACKET sockets
    eth0:2: not promisc and no PF_PACKET sockets
    eth0:3: not promisc and no PF_PACKET sockets
    eth0:5: not promisc and no PF_PACKET sockets
    eth0:6: not promisc and no PF_PACKET sockets
    eth0:7: not promisc and no PF_PACKET sockets
    eth0:8: not promisc and no PF_PACKET sockets
    eth0:10: not promisc and no PF_PACKET sockets
    Checking `w55808'... not infected
    Checking `wted'... nothing deleted
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... nothing deleted
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Try a scan with this too

    http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.0.tar.gz

    Could be rooted, might not be, I can't say without looking at the box.

    Did you just upgrade the kernel or something like that recently? Using a 2.6 kernel ?

    I would recommend that you invest the modest fees that some charge around here to have a look for you or hire someone that you know, who knows what they are doing.
    Time is of the essence when you are definitely rooted
     
  5. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    thank you all, i have installed rkhunter and test run, below is a part of result:

    * System tools
    /bin/netstat [ BAD ]
    /bin/ps [ BAD ]

    Check rootkits
    Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]

    --------------------------------------------------------------------------------
    Found parts of this rootkit/trojan by checking the default files and directories
    Please inspect the available files, by running this check with the parameter
    --createlogfile and check the log file (current file: /dev/null).
    --------------------------------------------------------------------------------

    * Filesystem checks
    Checking /dev for suspicious files... [ Warning! (unusual files found) ]
    ---------------------------------------------
    Unusual files:
    /dev/tmpMnt: Linux rev 1.0 ext2 filesystem data (mounted or unclean)
    ---------------------------------------------

    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 51
    Incorrect MD5 checksums: 2

    File scan
    Scanned files: 342
    Possible infected files: 1
    Possible rootkits: RH-Sharpe's rootkit

    Application scan
    Vulnerable applications: 4
    ##################################

    all other things seems to be ok, but RH-Sharpe's rootkit !!!!
    I cant find any related topic explaning what is RH-Sharpe's rootkit and how to fix it.

    please let me know what you think? how can i fix em?
    thnaks,
     
  6. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Hire a systems admin and let them take a look at the box for you.
     
  7. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    If the box is indeed compromised i would recommend getting a full operating system reinstall. Cleaning up the box is not really a good idea because you dont know what may be hiding dormate in it...
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would definitely agree with TheLinuxGuy. The output does suggest you've had a root exploit compromise and should that be the case you should get the server offline as soon as possible and have the OS reinstalled and either restore your user data from backup or migrate it over by having the OS installed on a new disk and have the old one mounted as a slave unit and follow this thread:
    http://forum.ev1servers.net/showthread.php?s=&threadid=38797
     
  9. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I would agree that the system does need to be restored if it is compromised, as cleaning up may not be an option.

    You should still hire someone who knows what they are looking for prior to restore though - as you might restore the box and get hacked the same way as soon as you have the machine online with its shiny new OS.

    In short, I would recommend that you try to establish how the box was compromised, before you restore it.
     
Loading...

Share This Page