We have been getting the dreaded "Trojan Horses Detected by (WHM)" emails on our server, except in our case this is a brand new install of the OS and cPanel.
The only thing it finds are "Hidden Pid detected!" for /sbin/rsyslogd and /usr/sbin/mysqld.
I did a "Scan for Trojan Horses" from WHM and this is the results:
Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /etc/rc.d/init.d/named
Possible Trojan - /etc/rc.d/init.d/httpd
Only one of these files is an actual binary executable, the others are simple scripts and look clean.
I ran chkrootkit and rkhunter and they didn't really detect anything that shows a rootkit. I also ran the latest version of clamav that I installed from RPMs and it also showed the server clean.
I did the full provision VPS and cPanel install twice and both times this happens.
These all look like false positives.
Our server is WHM 11.30.2 (build 1) on CENTOS 6.0 x86_64 on a Linode VPS
Any ideas of what I can do to solve this will be appreciated.
Stephane
The only thing it finds are "Hidden Pid detected!" for /sbin/rsyslogd and /usr/sbin/mysqld.
I did a "Scan for Trojan Horses" from WHM and this is the results:
Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /etc/rc.d/init.d/named
Possible Trojan - /etc/rc.d/init.d/httpd
Only one of these files is an actual binary executable, the others are simple scripts and look clean.
I ran chkrootkit and rkhunter and they didn't really detect anything that shows a rootkit. I also ran the latest version of clamav that I installed from RPMs and it also showed the server clean.
I did the full provision VPS and cPanel install twice and both times this happens.
These all look like false positives.
Our server is WHM 11.30.2 (build 1) on CENTOS 6.0 x86_64 on a Linode VPS
Any ideas of what I can do to solve this will be appreciated.
Stephane