The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan horse detected ?

Discussion in 'General Discussion' started by nyjimbo, Oct 31, 2004.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I have been running Cpanel for over a year and this morning for the first time i see this message in my email along with the normal 2am email:

    Hidden Pid detected! [pid 30848]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/sbin/exim-4.42-0]


    What does it mean ?. All the dates for the exim binarys there are weeks old. I do not see anything odd in tmp and nobody weird has gotten inthrough ftp or ssh for as far back as I can see.

    Nothing odd seems to be happening and nothing else i can see is different.

    Any idea why this would suddenly come up ?
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    most likely your box has been rooted a restore may be in order


    run rkhunter and ckrootkit to see
     
  3. bullwinkle

    bullwinkle Active Member

    Joined:
    Aug 20, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    el paso
    they try to hide their processes so you don't know what they are doing. get a copy of check-ps (a free download); it will show you all such processes. They have changed your ps program. Do not execute it as root. Run md5sum on it, then go to whm, do 'install software' and find the one that has ps (might have to try several ones). When you get it, do an md5sum on it, keep the answer somewhere off the server. Then, start running tripwire.

    Oh, yeah, figure out where the bad stuff is getting in. You might have to wipe the HD and re-install.
     

Share This Page