The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scalper Worm

Discussion in 'General Discussion' started by MikeMc, Jul 1, 2003.

  1. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    chkrootkit (installed today - latest version) gives me this warning : Checking `scalper'... Warning: Possible Scalper Worm installed

    I have RH 7.3, apache 1.3.27 and 0.9.6b OpenSSL. I want to believe that I'm secure with the above software and even if the worm exists..the vulnerability should not exist anymore with the above versions. But on this maybe I'm totally wrong. Could you indicate me some steps in order to confirm the chkrottkit's warning?

    Another info I can provide (if it's useful) ..is that /tmp has no strange files in it.

    Thank you.

    cPanel.net Support Ticket Number:
     
  2. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Delete the files, /tmp/.uua or /tmp/.a if they exist.

    cPanel.net Support Ticket Number:
     
  3. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    also kill any process's that are running under those names.

    cPanel.net Support Ticket Number:
     
  4. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for your reply shaun.
    There are no files with these names and no processes related to these files.

    If you have any other suggestions, I'll be glad to hear them.
    Thanks again.

    cPanel.net Support Ticket Number:
     
  5. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    do a search on google for scalper removal

    cPanel.net Support Ticket Number:
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I run cckrootkit every 3 hours and this morning for first time on 4 boxes:

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    Warning: Possible LKM Trojan installed


    all 4 at same time. anyone else get this now all of a sudden?

    cPanel.net Support Ticket Number:
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    If I run it a few more times the 465 port stays but the LKM goes away.

    cPanel.net Support Ticket Number:
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Which version are you running? I get your basic 'all is well' output.

    # $Id: chkrootkit, v 0.39 2003/01/30

    Checking `asp'... not infected
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... Checking `rexedcs'... not found
    Checking `sniffer'... not tested: can't exec ./ifpromisc
    Checking `wted'... not tested: can't exec ./chkwtmp
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... not tested: can't exec ./chklastlog

    The 'bindshell' msg. can be ignored. Something to do with the Script itself or the way Cpanel is setup -- not sure which.

    cPanel.net Support Ticket Number:
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    .41

    for a few days I didn't see the nbindshell listed. then it came back last night.

    cPanel.net Support Ticket Number:
     
  10. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
  11. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Checking `bindshell'... INFECTED (PORTS: 465)

    Ignore that, it's picking up portsentry. Thats a false/positive

    cPanel.net Support Ticket Number:
     
  12. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Is that like, when a girl says 'Yes' and she really means 'Maybe'? ;) :D

    cPanel.net Support Ticket Number:
     
  13. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    So, guys what do you think...we can live with some(that) warning(s) or we should spend time and money to get rid of them?

    cPanel.net Support Ticket Number:
     
  14. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    By accident I found out that the scalper warning is related with portsentry (or a specific configuration of it) -> at least in my case. And this on a new cpanel machine. With portsentry off..I get no warnings.

    cPanel.net Support Ticket Number:
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    After doing the following upgrades:

    RedHat 7.3
    WHM 7.1.0 cPanel 7.1.5-E37
    chkrootkit 4.1

    and portsentry being turned on, you can see that following is a normal output, although edited for brevity. ;)

    Checking `lkm'... Checking `rexedcs'... not found
    Checking `sniffer'... not tested: can't exec ./ifpromisc
    Checking `wted'... not tested: can't exec ./chkwtmp
    Checking `w55808'... not infected
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... not tested: can't exec ./chklastlog

    And is not much different from post above, when I was running WHM 6.4.x and chkrootkit v0.39.

    Not sure why yours would show different unless you're running free BSD or perhaps something to do with your Server setup.

    cPanel.net Support Ticket Number:
     
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Do we really need Portsentry if we have APF of other firewalls running?

    cPanel.net Support Ticket Number:
     
  17. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    For example what I said in my previous post happens on a RH 7.3 cpanel 6.4.2 S75 and on a server with RH 8.0 (cpanel 6.4.2 R79). These 2 servers are on 2 different providers and the second is a totally new machine. I already knew that the scalper warning doesn't show up on other servers that have portsentry enabled, but on these 2 servers turning off portsentry...means no warnings for scalper. I don't really know what I should think for the whole thing. :(

    cPanel.net Support Ticket Number:
     
  18. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Calling RPMWS!



    RPMWS, have you found the solution to this? Is this a false alarm or real? Anyone else? What should I do now?
     

Share This Page