LKM Trojan installed - Urgent.

[mitul]

Hello All,

Several files on my server are infected by this trojan. How do I protect my server. Please help.

Possible Trojan - /usr/lib/libdb_tcl-3.2.so
.

Possible Trojan - /usr/lib/python1.5/site-packages/cgiwrap.pyc
.

Possible Trojan - /usr/lib/python1.5/site-packages/xmlrpclib.pyc

Thank you,

 

[ozzi4648]

Originally posted by mitul
Hello All,

Several files on my server are infected by this trojan. How do I protect my server. Please help.

Possible Trojan - /usr/lib/libdb_tcl-3.2.so
.

Possible Trojan - /usr/lib/python1.5/site-packages/cgiwrap.pyc
.

Possible Trojan - /usr/lib/python1.5/site-packages/xmlrpclib.pyc

Thank you,

How do you know? Are you getting this report when running the option from WHM? I dont even know why its included. Its the dumbest option in WHM. It means nothing and you probably are not infected.

Get yourself a copy of the lastest chkrootkit. You can find installation instructions from the link in my signature. Click on LINUX at the top then find HOW TO INSTALL CHKROOTKIT. After you install it run ./chkrootkit to check your entire server.

Good luck!

 

[mitul]

I scaned the server using latest chkrootkit version and it showed me

Checking `rpcinfo'... INFECTED
Warning: Possible LKM Trojan installed

Thank you,

 

[ozzi4648]

Originally posted by mitul
I scaned the server using latest chkrootkit version and it showed me

Checking `rpcinfo'... INFECTED
Warning: Possible LKM Trojan installed

Thank you,

PM sent!

 

[Website Rob]

Ok, no doubt that chkrootkit is a handy tool to have. Unfortunately I seem to have a bum install with v0.39a:

In file included from /usr/include/linux/if.h:22,
from ifpromisc.c:28:
/usr/include/linux/types.h:104: parse error before `__kernel_daddr_t'
/usr/include/linux/types.h:104: warning: no semicolon at end of struct or union
/usr/include/linux/types.h:105: warning: data definition has no type or storage class
/usr/include/linux/types.h:108: parse error before `}'
make: *** [ifpromisc] Error 1

Or maybe it's trying to tell me something. Not being familiar with this script, any help on the above msg. is appreciated.

BTW, a run showed no infections, but when checking "Searching for suspicious files and dirs, it may take a while..." it sure did show a lot -- all seemed to "packlists" though, so I'm not worried.

I did get this error though:

Checking `sniffer'... not tested: can't exec ./ifpromisc

because of the install error listed above.

 

[Radio_Head]

If I am not wrong with chkrootkit you can only DETECT but you cannot remove trojan .
And Loaded Kernel Module (LKM) trojans should not be so easy to remove , I think .

Is there something to remove them ?

 

[SoftmegUK]

Originally posted by Website Rob
Ok, no doubt that chkrootkit is a handy tool to have. Unfortunately I seem to have a bum install with v0.39a:

In file included from /usr/include/linux/if.h:22,
from ifpromisc.c:28:
/usr/include/linux/types.h:104: parse error before `__kernel_daddr_t'
/usr/include/linux/types.h:104: warning: no semicolon at end of struct or union
/usr/include/linux/types.h:105: warning: data definition has no type or storage class
/usr/include/linux/types.h:108: parse error before `}'
make: *** [ifpromisc] Error 1

Or maybe it's trying to tell me something. Not being familiar with this script, any help on the above msg. is appreciated.

BTW, a run showed no infections, but when checking "Searching for suspicious files and dirs, it may take a while..." it sure did show a lot -- all seemed to "packlists" though, so I'm not worried.

I did get this error though:

Checking `sniffer'... not tested: can't exec ./ifpromisc

because of the install error listed above.

I just installed it myself after reading this, worked without a problem!

 

[dgbaker]

quote:
--------------------------------------------------------------------------------
Originally posted by Website Rob
Ok, no doubt that chkrootkit is a handy tool to have. Unfortunately I seem to have a bum install with v0.39a:

In file included from /usr/include/linux/if.h:22,
from ifpromisc.c:28:
/usr/include/linux/types.h:104: parse error before `__kernel_daddr_t'
/usr/include/linux/types.h:104: warning: no semicolon at end of struct or union
/usr/include/linux/types.h:105: warning: data definition has no type or storage class
/usr/include/linux/types.h:108: parse error before `}'
make: *** [ifpromisc] Error 1

Or maybe it's trying to tell me something. Not being familiar with this script, any help on the above msg. is appreciated.

BTW, a run showed no infections, but when checking "Searching for suspicious files and dirs, it may take a while..." it sure did show a lot -- all seemed to "packlists" though, so I'm not worried.

I did get this error though:

Checking `sniffer'... not tested: can't exec ./ifpromisc

because of the install error listed above.
--------------------------------------------------------------------------------
[/QUOTE]

Originally posted by SoftmegUK
I just installed it myself after reading this, worked without a problem!

Well we got the exact same error as Website Rob.

 

[Website Rob]

Well, let's use more info.

Linux 7.3
Kernel Version 2.4.18-17.7.x

Anyone else using same and problems or no problems with v??? of chkrootkit?

 

[Sash]

Linux 7.3
Kernel Version 2.4.18-24.7.x

.38 - works fine
.39a - same error

If anyone wants a copy of .38 pm me.

Mike

 

[hkewell]

Our Server have following, how to remove ... ? please help


Scanning for Trojan Horses.....

Possible Trojan - /usr/bin/xmlwf
Possible Trojan - /usr/sbin/imapd
Possible Trojan - /etc/rc.d/init.d/mysql
Possible Trojan - /usr/bin/isamchk
Possible Trojan - /usr/bin/isamlog
Possible Trojan - /usr/bin/my_print_defaults
Possible Trojan - /usr/bin/myisamchk
Possible Trojan - /usr/bin/myisamlog
Possible Trojan - /usr/bin/myisampack
Possible Trojan - /usr/bin/mysql_convert_table_format
Possible Trojan - /usr/bin/mysqlbug
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/mysqltest
Possible Trojan - /usr/bin/pack_isam
Possible Trojan - /usr/bin/perror
Possible Trojan - /usr/bin/replace
Possible Trojan - /usr/bin/resolve_stack_dump
Possible Trojan - /usr/bin/resolveip
Possible Trojan - /usr/bin/safe_mysqld
Possible Trojan - /usr/sbin/mysqld
Possible Trojan - /usr/share/mysql/make_binary_distribution
Possible Trojan - /usr/share/mysql/mysql.server
Possible Trojan - /usr/bin/mysql_config
Possible Trojan - /usr/lib/libmysqlclient.so.10.0.0
Possible Trojan - /usr/lib/libmysqlclient_r.so.10.0.0
Possible Trojan - /usr/bin/whois.psad
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2text
Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-ulti/auto/Digest/MD5/MD5.so
Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/Storable.so
Possible Trojan - /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
.......

 

[mitul]

You are OK

Don't Panic. It seems that ur System is Clean. no need to Bother This doesn't mean anything.
See chkrootkit (may be chkrootkit 3x !!!!).

And then see what it says!!!!!:D

 

[Website Rob]

Yeah, never use the "Search for Trojans" in WHM. Although I'm not sure exactly what it's supposed to do, what it does do is give lots of false postives and un-necessary stress.

As for chkrootkit, anyone know how often new versions come out? Not sure if going back to v38 is better than waiting for a new release. Nice gesture though, on Sash's part, to make it available. May take you up on it, but will wait and see till after I get more info.

 

[dgbaker]

Okay for us still not working and we are;

Red Hat 7.3

Kernel 2.4.20