The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan Horses Detected by (WHM) after fresh install of cPanel [case 55852]

Discussion in 'General Discussion' started by DurkaDurak, Oct 13, 2011.

  1. DurkaDurak

    DurkaDurak Member

    Joined:
    Oct 2, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have just barely installed cPanel/WHM VPS Optimized and got this email:

    Does this mean that cPanel deleted necessary and important system files? Is this a bug in the current distribution? I am testing out CentOS 6 x86_64 with the latest cPanel WHM VPS Optimized on this specific system. I wonder if it has to do with cPanel and an incompatibility with the Linux 3.0.4 x86_64 kernel.

    WHM 11.30.4 (build 6) [TRIAL]
    CENTOS 6.0 x86_64 xenpv on vps01

    *** Kernel:
    Code:
    Linux [HOSTNAME REMOVED] 3.0.4-x86_64-linode21 #1 SMP Thu Sep 1 21:28:01 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
    Code:
    Trojan Horses Detected by (WHM) on [HOSTNAME REMOVED]
        
    Hidden Pid detected! [pid 1731]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/sbin/rsyslogd (deleted)]
    
    Hidden Pid detected! [pid 1732]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/sbin/rsyslogd (deleted)]
    
    Hidden Pid detected! [pid 3189]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 3190]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 3191]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 3192]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 3193]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 3194]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/named]
    
    Hidden Pid detected! [pid 4313]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4314]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4315]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4316]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4317]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4318]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4319]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4320]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 4321]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
    
    Hidden Pid detected! [pid 6976]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/sbin/rsyslogd (deleted)]
    
    Hidden Pid detected! [pid 22391]
           hidden from ps: [yes]
           hidden from kernel: [yes]
           binary location: [/usr/sbin/mysqld]
     
  2. morissette

    morissette Well-Known Member

    Joined:
    May 24, 2009
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin, TX
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

    Those are likely false positives. Too investigate further please use lsof with the p switch and the pid in question as the argument so we can have more information to investigate. Also a ps auwx would not hurt. If you cannot investigate with that info please past them here or on a pastebin so we can assist further.
     
  3. DurkaDurak

    DurkaDurak Member

    Joined:
    Oct 2, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

    I'm going to switch my kernel back to 2.6.x from 3.0.x and see how things go.
     
  4. DurkaDurak

    DurkaDurak Member

    Joined:
    Oct 2, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

    After switching back to the 2.6.x kernel, I haven't had any more issues. It seems to be a compatibility issue using cPanel, CentOS 6, and the 3.0.x kernel (which wasn't a native part of CentOS 6).

    FYI this wasn't a production machine, just a testing machine.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  6. DurkaDurak

    DurkaDurak Member

    Joined:
    Oct 2, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

    Yes, I am. Is there anything I should know about cPanel and the Kernels they provide?

    It looks like with the thread you posted, that they have identified the issue as a problem with the Perl module. (Post as of 11/11/11). Would this be a fix that could be implemented by cPanel?
     
    #6 DurkaDurak, Nov 21, 2011
    Last edited: Nov 21, 2011
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

    While many customers use custom kernels without issue, cPanel is tested on standard kernels. Using a custom kernel increases the chance you will encounter problems with cPanel. If you continue to experience this issue, feel free to submit a ticket to our staff for further review:

    Submit A Ticket

    Thank you.
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel [case 558

    This case was resolved in version 11.31.4.4 which is now propagating.
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Re: Trojan Horses Detected by (WHM) after fresh install of cPanel [case 558

    This fix has now propagated to all tiers since we backported this fix to 11.30.6.3.
     

Share This Page