The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this trojan horse scan anything to be concerned about?

Discussion in 'Security' started by fireineyes, Feb 17, 2011.

  1. fireineyes

    fireineyes Member

    Joined:
    Sep 2, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I had about 3 or 4 sites injected with an iframe code into all the index home and default webpages throughout those sites and they would then try to download spyware/virus to a visitor. I restored the sites but I wanted to track down any compromises in security so I did a Trojan Scan in CP WHM. DOes this look suspicious, and what do I need to look for? I did have trojans on my local computer so I am wondering if that caused issues.

    Main ]] Security ]] Scan for Trojan Horses
    Scan for Trojan Horses
    Appears Clean
    /dev/core
    /dev/stderr
    Scanning for Trojan Horses....
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/sa-learn
    Possible Trojan - /usr/bin/sa-update
    Possible Trojan - /usr/bin/spamassassin
    Possible Trojan - /usr/bin/spamd
    Possible Trojan - /usr/bin/ptar
    Possible Trojan - /usr/sbin/pureauth
    Possible Trojan - /etc/init.d/exim
    Possible Trojan - /usr/lib/exim/bin/spf_example
    Possible Trojan - /usr/lib/exim/bin/spfd
    Possible Trojan - /usr/lib/exim/bin/spfquery
    Possible Trojan - /usr/lib/exim/bin/spftest
    Possible Trojan - /usr/lib/exim/bin/srs
    Possible Trojan - /usr/sbin/antirelayd
    Possible Trojan - /usr/sbin/exigrep
    Possible Trojan - /usr/sbin/exim
    Possible Trojan - /usr/sbin/exim_dbmbuild
    Possible Trojan - /usr/sbin/exim_dumpdb
    Possible Trojan - /usr/sbin/exim_fixdb
    Possible Trojan - /usr/sbin/exim_lock
    Possible Trojan - /usr/sbin/exim_tidydb
    Possible Trojan - /usr/sbin/sendmail
    Possible Trojan - /usr/bin/cpan
    Possible Trojan - /usr/bin/instmodsh
    Possible Trojan - /usr/bin/prove
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /etc/cron.daily/logrotate
    27 POSSIBLE Trojans Detected:(
     
  2. fireineyes

    fireineyes Member

    Joined:
    Sep 2, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Never mind now... I had a server management company search for rootkits with RKHunter and it came up clean. Thanks anyway.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    I did want to provide this information for later users who might have the same ones return on a scan to show what each happens to be:

    Possible Trojan - /usr/bin/dbiprof --> used by Perl
    Possible Trojan - /usr/bin/sa-learn --> SpamAssassin learn function
    Possible Trojan - /usr/bin/sa-update --> SpamAssassin updater
    Possible Trojan - /usr/bin/spamassassin --> SpamAssassin binary
    Possible Trojan - /usr/bin/spamd --> SpamAssassin binary
    Possible Trojan - /usr/bin/ptar --> used by Perl to extract, create and list tar archives
    Possible Trojan - /usr/sbin/pureauth --> used for ftp authentication
    Possible Trojan - /etc/init.d/exim --> exim start file
    Possible Trojan - /usr/lib/exim/bin/spf_example --> exim SPF file
    Possible Trojan - /usr/lib/exim/bin/spfd --> exim SPF file
    Possible Trojan - /usr/lib/exim/bin/spfquery --> exim SPF file
    Possible Trojan - /usr/lib/exim/bin/spftest --> exim SPF file
    Possible Trojan - /usr/lib/exim/bin/srs --> exim SRS file
    Possible Trojan - /usr/sbin/antirelayd --> used for POP3 before SMTP authentication
    Possible Trojan - /usr/sbin/exigrep --> exim utility for running grep on mail logs
    Possible Trojan - /usr/sbin/exim --> exim binary for mail
    Possible Trojan - /usr/sbin/exim_dbmbuild --> exim dbmbuild binary
    Possible Trojan - /usr/sbin/exim_dumpdb --> exim dumpdb binary
    Possible Trojan - /usr/sbin/exim_fixdb --> exim fixdb binary
    Possible Trojan - /usr/sbin/exim_lock --> exim lock file
    Possible Trojan - /usr/sbin/exim_tidydb --> exim's tidydb binary
    Possible Trojan - /usr/sbin/sendmail --> sendmail binary for sending mail
    Possible Trojan - /usr/bin/cpan --> perl module installer
    Possible Trojan - /usr/bin/instmodsh --> used by Perl
    Possible Trojan - /usr/bin/prove --> used for running tests on a machine
    Possible Trojan - /usr/bin/pstruct --> used for binary dumps for Perl programmers
    Possible Trojan - /etc/cron.daily/logrotate --> used to rotate the logs

    None of the above would be considered trojans.

    Thanks.
     

Share This Page