Trojan Horses Detected by (WHM) after fresh install of cPanel [case 55852]

[DurkaDurak]

I have just barely installed cPanel/WHM VPS Optimized and got this email:

Does this mean that cPanel deleted necessary and important system files? Is this a bug in the current distribution? I am testing out CentOS 6 x86_64 with the latest cPanel WHM VPS Optimized on this specific system. I wonder if it has to do with cPanel and an incompatibility with the Linux 3.0.4 x86_64 kernel.

WHM 11.30.4 (build 6) [TRIAL]
CENTOS 6.0 x86_64 xenpv on vps01

*** Kernel:

Linux [HOSTNAME REMOVED] 3.0.4-x86_64-linode21 #1 SMP Thu Sep 1 21:28:01 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

Trojan Horses Detected by (WHM) on [HOSTNAME REMOVED]
    
Hidden Pid detected! [pid 1731]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1732]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 3189]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3190]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3191]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3192]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3193]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3194]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 4313]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4314]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4315]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4316]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4317]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4318]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4319]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4320]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4321]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 6976]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 22391]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

 

[morissette]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Those are likely false positives. Too investigate further please use lsof with the p switch and the pid in question as the argument so we can have more information to investigate. Also a ps auwx would not hurt. If you cannot investigate with that info please past them here or on a pastebin so we can assist further.

 

[DurkaDurak]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

I'm going to switch my kernel back to 2.6.x from 3.0.x and see how things go.

 

[DurkaDurak]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

After switching back to the 2.6.x kernel, I haven't had any more issues. It seems to be a compatibility issue using cPanel, CentOS 6, and the 3.0.x kernel (which wasn't a native part of CentOS 6).

FYI this wasn't a production machine, just a testing machine.

 

[cPanelTristan]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Just to confirm, are you hosting with Linode? They seem to be the main provider using the 3.0.x kernel for CentOS 6. We have another thread about this issue:

http://forums.cpanel.net/f5/daily-e...ta-could-not-installed-230182.html#post948351

 

[DurkaDurak]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Yes, I am. Is there anything I should know about cPanel and the Kernels they provide?

It looks like with the thread you posted, that they have identified the issue as a problem with the Perl module. (Post as of 11/11/11). Would this be a fix that could be implemented by cPanel?

 

[cPanelMichael]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Yes, I am. Is there anything I should know about cPanel and the Kernels they provide?

It looks like with the thread you posted, that they have identified the issue as a problem with the Perl module. (Post as of 11/11/11). Would this be a fix that could be implemented by cPanel?

While many customers use custom kernels without issue, cPanel is tested on standard kernels. Using a custom kernel increases the chance you will encounter problems with cPanel. If you continue to experience this issue, feel free to submit a ticket to our staff for further review:

Submit A Ticket

Thank you.

 

[cPanelDavidG]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel [case 558

This case was resolved in version 11.31.4.4 which is now propagating.

 

[cPanelDavidG]

Re: Trojan Horses Detected by (WHM) after fresh install of cPanel [case 558

This fix has now propagated to all tiers since we backported this fix to 11.30.6.3.