Trojan Horses Detected by (WHM) after fresh install of cPanel [case 55852]

DurkaDurak

Member
Oct 2, 2011
11
0
51
cPanel Access Level
Root Administrator
I have just barely installed cPanel/WHM VPS Optimized and got this email:

Does this mean that cPanel deleted necessary and important system files? Is this a bug in the current distribution? I am testing out CentOS 6 x86_64 with the latest cPanel WHM VPS Optimized on this specific system. I wonder if it has to do with cPanel and an incompatibility with the Linux 3.0.4 x86_64 kernel.

WHM 11.30.4 (build 6) [TRIAL]
CENTOS 6.0 x86_64 xenpv on vps01

*** Kernel:
Code:
Linux [HOSTNAME REMOVED] 3.0.4-x86_64-linode21 #1 SMP Thu Sep 1 21:28:01 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
Code:
Trojan Horses Detected by (WHM) on [HOSTNAME REMOVED]
    
Hidden Pid detected! [pid 1731]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1732]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 3189]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3190]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3191]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3192]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3193]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 3194]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 4313]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4314]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4315]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4316]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4317]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4318]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4319]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4320]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 4321]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 6976]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 22391]
       hidden from ps: [yes]
       hidden from kernel: [yes]
       binary location: [/usr/sbin/mysqld]
 

morissette

Well-Known Member
May 24, 2009
119
2
66
Austin, TX
cPanel Access Level
Root Administrator
Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Those are likely false positives. Too investigate further please use lsof with the p switch and the pid in question as the argument so we can have more information to investigate. Also a ps auwx would not hurt. If you cannot investigate with that info please past them here or on a pastebin so we can assist further.
 

DurkaDurak

Member
Oct 2, 2011
11
0
51
cPanel Access Level
Root Administrator
Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

I'm going to switch my kernel back to 2.6.x from 3.0.x and see how things go.
 

DurkaDurak

Member
Oct 2, 2011
11
0
51
cPanel Access Level
Root Administrator
Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

After switching back to the 2.6.x kernel, I haven't had any more issues. It seems to be a compatibility issue using cPanel, CentOS 6, and the 3.0.x kernel (which wasn't a native part of CentOS 6).

FYI this wasn't a production machine, just a testing machine.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator

DurkaDurak

Member
Oct 2, 2011
11
0
51
cPanel Access Level
Root Administrator
Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Yes, I am. Is there anything I should know about cPanel and the Kernels they provide?

It looks like with the thread you posted, that they have identified the issue as a problem with the Perl module. (Post as of 11/11/11). Would this be a fix that could be implemented by cPanel?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Re: Trojan Horses Detected by (WHM) after fresh install of cPanel VPS Optim

Yes, I am. Is there anything I should know about cPanel and the Kernels they provide?

It looks like with the thread you posted, that they have identified the issue as a problem with the Perl module. (Post as of 11/11/11). Would this be a fix that could be implemented by cPanel?
While many customers use custom kernels without issue, cPanel is tested on standard kernels. Using a custom kernel increases the chance you will encounter problems with cPanel. If you continue to experience this issue, feel free to submit a ticket to our staff for further review:

Submit A Ticket

Thank you.