"Trojan Horses Detected" but only rsyslogd and mysqld. New server, scans shows clean

[BasicLink SA]

We have been getting the dreaded "Trojan Horses Detected by (WHM)" emails on our server, except in our case this is a brand new install of the OS and cPanel.

The only thing it finds are "Hidden Pid detected!" for /sbin/rsyslogd and /usr/sbin/mysqld.

I did a "Scan for Trojan Horses" from WHM and this is the results:

Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /etc/rc.d/init.d/named
Possible Trojan - /etc/rc.d/init.d/httpd

Only one of these files is an actual binary executable, the others are simple scripts and look clean.

I ran chkrootkit and rkhunter and they didn't really detect anything that shows a rootkit. I also ran the latest version of clamav that I installed from RPMs and it also showed the server clean.

I did the full provision VPS and cPanel install twice and both times this happens.

These all look like false positives.

Our server is WHM 11.30.2 (build 1) on CENTOS 6.0 x86_64 on a Linode VPS


Any ideas of what I can do to solve this will be appreciated.

Stephane

 

[mtwhelan]

Re: "Trojan Horses Detected" but only rsyslogd and mysqld. New server, scan

I am having the exact same issues with the same configuration.

Have you been able to find a solution?

Thanks,

Matt

 

[cPanelMichael]

Re: "Trojan Horses Detected" but only rsyslogd and mysqld. New server, scan

Hello

If you have determined those are false positives on a fresh installation, I suggest opening a bug report using the following URL:

Submit a Bug Report

It can be noted in the report that you feel the method of detection needs to be changed based on the false positives.

Thank you.