The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LKM Trojan installed - Urgent.

Discussion in 'General Discussion' started by mitul, Feb 27, 2003.

  1. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Hello All,

    Several files on my server are infected by this trojan. How do I protect my server. Please help.

    Possible Trojan - /usr/lib/libdb_tcl-3.2.so
    .

    Possible Trojan - /usr/lib/python1.5/site-packages/cgiwrap.pyc
    .

    Possible Trojan - /usr/lib/python1.5/site-packages/xmlrpclib.pyc

    Thank you,:eek:
     
  2. ozzi4648

    ozzi4648 Guest

    How do you know? Are you getting this report when running the option from WHM? I dont even know why its included. Its the dumbest option in WHM. It means nothing and you probably are not infected.

    Get yourself a copy of the lastest chkrootkit. You can find installation instructions from the link in my signature. Click on LINUX at the top then find HOW TO INSTALL CHKROOTKIT. After you install it run ./chkrootkit to check your entire server.

    Good luck!
     
  3. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    I scaned the server using latest chkrootkit version and it showed me

    Checking `rpcinfo'... INFECTED
    Warning: Possible LKM Trojan installed

    Thank you,
     
  4. ozzi4648

    ozzi4648 Guest

    PM sent!
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, no doubt that chkrootkit is a handy tool to have. Unfortunately I seem to have a bum install with v0.39a:

    In file included from /usr/include/linux/if.h:22,
    from ifpromisc.c:28:
    /usr/include/linux/types.h:104: parse error before `__kernel_daddr_t'
    /usr/include/linux/types.h:104: warning: no semicolon at end of struct or union
    /usr/include/linux/types.h:105: warning: data definition has no type or storage class
    /usr/include/linux/types.h:108: parse error before `}'
    make: *** [ifpromisc] Error 1

    Or maybe it's trying to tell me something. Not being familiar with this script, any help on the above msg. is appreciated.

    BTW, a run showed no infections, but when checking "Searching for suspicious files and dirs, it may take a while..." it sure did show a lot -- all seemed to "packlists" though, so I'm not worried. :)

    I did get this error though:

    Checking `sniffer'... not tested: can't exec ./ifpromisc

    because of the install error listed above.
     
    #5 Website Rob, Feb 27, 2003
    Last edited: Feb 27, 2003
  6. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    If I am not wrong with chkrootkit you can only DETECT but you cannot remove trojan .
    And Loaded Kernel Module (LKM) trojans should not be so easy to remove , I think .

    Is there something to remove them ?
     
  7. SoftmegUK

    SoftmegUK Well-Known Member

    Joined:
    Feb 13, 2002
    Messages:
    372
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK

    I just installed it myself after reading this, worked without a problem!
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    quote:
    --------------------------------------------------------------------------------
    Originally posted by Website Rob
    Ok, no doubt that chkrootkit is a handy tool to have. Unfortunately I seem to have a bum install with v0.39a:

    In file included from /usr/include/linux/if.h:22,
    from ifpromisc.c:28:
    /usr/include/linux/types.h:104: parse error before `__kernel_daddr_t'
    /usr/include/linux/types.h:104: warning: no semicolon at end of struct or union
    /usr/include/linux/types.h:105: warning: data definition has no type or storage class
    /usr/include/linux/types.h:108: parse error before `}'
    make: *** [ifpromisc] Error 1

    Or maybe it's trying to tell me something. Not being familiar with this script, any help on the above msg. is appreciated.

    BTW, a run showed no infections, but when checking "Searching for suspicious files and dirs, it may take a while..." it sure did show a lot -- all seemed to "packlists" though, so I'm not worried.

    I did get this error though:

    Checking `sniffer'... not tested: can't exec ./ifpromisc

    because of the install error listed above.
    --------------------------------------------------------------------------------
    [/QUOTE]

    Well we got the exact same error as Website Rob. :(
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Well, let's use more info.

    Linux 7.3
    Kernel Version 2.4.18-17.7.x

    Anyone else using same and problems or no problems with v??? of chkrootkit?
     
  10. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Linux 7.3
    Kernel Version 2.4.18-24.7.x

    .38 - works fine
    .39a - same error

    If anyone wants a copy of .38 pm me.

    Mike
     
  11. hkewell

    hkewell Well-Known Member

    Joined:
    May 17, 2002
    Messages:
    170
    Likes Received:
    0
    Trophy Points:
    0
    Our Server have following, how to remove ... ? please help


    Scanning for Trojan Horses.....

    Possible Trojan - /usr/bin/xmlwf
    Possible Trojan - /usr/sbin/imapd
    Possible Trojan - /etc/rc.d/init.d/mysql
    Possible Trojan - /usr/bin/isamchk
    Possible Trojan - /usr/bin/isamlog
    Possible Trojan - /usr/bin/my_print_defaults
    Possible Trojan - /usr/bin/myisamchk
    Possible Trojan - /usr/bin/myisamlog
    Possible Trojan - /usr/bin/myisampack
    Possible Trojan - /usr/bin/mysql_convert_table_format
    Possible Trojan - /usr/bin/mysqlbug
    Possible Trojan - /usr/bin/mysqlhotcopy
    Possible Trojan - /usr/bin/mysqltest
    Possible Trojan - /usr/bin/pack_isam
    Possible Trojan - /usr/bin/perror
    Possible Trojan - /usr/bin/replace
    Possible Trojan - /usr/bin/resolve_stack_dump
    Possible Trojan - /usr/bin/resolveip
    Possible Trojan - /usr/bin/safe_mysqld
    Possible Trojan - /usr/sbin/mysqld
    Possible Trojan - /usr/share/mysql/make_binary_distribution
    Possible Trojan - /usr/share/mysql/mysql.server
    Possible Trojan - /usr/bin/mysql_config
    Possible Trojan - /usr/lib/libmysqlclient.so.10.0.0
    Possible Trojan - /usr/lib/libmysqlclient_r.so.10.0.0
    Possible Trojan - /usr/bin/whois.psad
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2text
    Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-ulti/auto/Digest/MD5/MD5.so
    Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/Storable.so
    Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
    .......
     
  12. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    You are OK

    Don't Panic. It seems that ur System is Clean. no need to Bother This doesn't mean anything.
    See chkrootkit (may be chkrootkit 3x !!!!).

    And then see what it says!!!!!:D
     
  13. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Yeah, never use the "Search for Trojans" in WHM. Although I'm not sure exactly what it's supposed to do, what it does do is give lots of false postives and un-necessary stress. ;)

    As for chkrootkit, anyone know how often new versions come out? Not sure if going back to v38 is better than waiting for a new release. Nice gesture though, on Sash's part, to make it available. May take you up on it, but will wait and see till after I get more info.
     
  14. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Okay for us still not working and we are;

    Red Hat 7.3

    Kernel 2.4.20
     

Share This Page