"Trojan Horses Detected" but only rsyslogd and mysqld. New server, scans shows clean

BasicLink SA

Member
Aug 30, 2011
13
0
51
cPanel Access Level
DataCenter Provider
We have been getting the dreaded "Trojan Horses Detected by (WHM)" emails on our server, except in our case this is a brand new install of the OS and cPanel.

The only thing it finds are "Hidden Pid detected!" for /sbin/rsyslogd and /usr/sbin/mysqld.

I did a "Scan for Trojan Horses" from WHM and this is the results:

Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /etc/rc.d/init.d/named
Possible Trojan - /etc/rc.d/init.d/httpd

Only one of these files is an actual binary executable, the others are simple scripts and look clean.

I ran chkrootkit and rkhunter and they didn't really detect anything that shows a rootkit. I also ran the latest version of clamav that I installed from RPMs and it also showed the server clean.

I did the full provision VPS and cPanel install twice and both times this happens.

These all look like false positives.

Our server is WHM 11.30.2 (build 1) on CENTOS 6.0 x86_64 on a Linode VPS


Any ideas of what I can do to solve this will be appreciated.

Stephane
 

mtwhelan

Registered
Sep 27, 2011
2
0
51
cPanel Access Level
Root Administrator
Re: "Trojan Horses Detected" but only rsyslogd and mysqld. New server, scan

I am having the exact same issues with the same configuration.

Have you been able to find a solution?

Thanks,

Matt
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Re: "Trojan Horses Detected" but only rsyslogd and mysqld. New server, scan

Hello :)

If you have determined those are false positives on a fresh installation, I suggest opening a bug report using the following URL:

Submit a Bug Report

It can be noted in the report that you feel the method of detection needs to be changed based on the false positives.

Thank you.