'Trojan Horses Detected by WHM' - Real or Not

[metal_cd]

I have had this server for a while and never received and email alert from WHM before that stated 'Trojan Horses Detected by WHM'.
I have searched and found that some say it is a false positive.
But, I have not seen that others have had so many processes labeled as these hidden processes.

Here is the email;
Trojan Horses Detected by WHM
Hidden Pid detected! (pid 24442)
hidden from ps: (yes)
hidden from kernal: (yes)


I have chkrootkit installed and these are the results;

(~/chkrootkit-0.47)# ./chkrootkit
ROOTDIR is `/'
...(snip)...
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 2 process hidden for
readdir command
You have 14 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed



(~/chkrootkit-0.47)# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 1
###
PID 3703: not in ps output
CWD 3703: /
EXE 3703: /usr/sbin/named
PID 3704: not in ps output
CWD 3704: /
EXE 3704: /usr/sbin/named
PID 3705: not in ps output
CWD 3705: /
EXE 3705: /usr/sbin/named
PID 3706: not in ps output
CWD 3706: /
EXE 3706: /usr/sbin/named
PID 5347: not in ps output
CWD 5347: /var/lib/mysql
EXE 5347: /usr/sbin/mysqld
PID 5348: not in ps output
CWD 5348: /var/lib/mysql
EXE 5348: /usr/sbin/mysqld
PID 5349: not in ps output
CWD 5349: /var/lib/mysql
EXE 5349: /usr/sbin/mysqld
PID 5350: not in ps output
CWD 5350: /var/lib/mysql
EXE 5350: /usr/sbin/mysqld
PID 5354: not in ps output
CWD 5354: /var/lib/mysql
EXE 5354: /usr/sbin/mysqld
PID 5367: not in ps output
CWD 5367: /var/lib/mysql
EXE 5367: /usr/sbin/mysqld
PID 5368: not in ps output
CWD 5368: /var/lib/mysql
EXE 5368: /usr/sbin/mysqld
PID 5369: not in ps output
CWD 5369: /var/lib/mysql
EXE 5369: /usr/sbin/mysqld
PID 5370: not in ps output
CWD 5370: /var/lib/mysql
EXE 5370: /usr/sbin/mysqld
PID 5589: not in ps output
CWD 5589: /var/lib/mysql
EXE 5589: /usr/sbin/mysqld
PID 24442(/proc/24442): not in getpriority readdir
output
PID 24443(/proc/24443): not in getpriority readdir
output
You have 2 process hidden for readdir command
You have 14 process hidden for ps command



Does this still look like a false positive?
Like I said I never had this before. I ran chkrootkit several times and always receive the above results.

Thank you for your input

 

[metal_cd]

Anyone?

Thanks

 

[verdon]

I don't get most of those either. Have you tried running rkhunter too?

 

[metal_cd]

Installed and ran rkhunter.
Here are the results (just the warnings);

[02:15:05] /bin/egrep [ Warning ]
[02:15:05] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: Bourne shell script text executable
[02:15:06] /bin/fgrep [ Warning ]
[02:15:06] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: Bourne shell script text executable
[02:15:14] /usr/bin/GET [ Warning ]
[02:15:14] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
[02:15:14] /usr/bin/groups [ Warning ]
[02:15:14] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[02:15:16] /usr/bin/ldd [ Warning ]
[02:15:16] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[02:15:24] /usr/bin/whatis [ Warning ]
[02:15:24] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[02:15:26] /sbin/ifdown [ Warning ]
[02:15:26] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[02:15:27] /sbin/ifup [ Warning ]
[02:15:27] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable


Performing trojan specific checks
[02:16:31] Info: Starting test name 'trojans'
[02:16:31] Info: Using inetd configuration file '/etc/inetd.conf'
[02:16:31] Checking for enabled inetd services [ Warning ]
[02:16:32] Warning: Found enabled inetd service: telnet
[02:16:32] Warning: Found enabled inetd service: talk
[02:16:32] Warning: Found enabled inetd service: ntalk
[02:16:32] Warning: Found enabled inetd service: imap
[02:16:32] Performing check for enabled xinetd services
[02:16:32] Checking '/etc/xinetd.d/cpimap' for enabled services [ Warning ]
[02:16:32] Checking '/etc/xinetd.d/ntalk' for enabled services [ Warning ]
[02:16:33] Checking '/etc/xinetd.d/pop-3' for enabled services [ Warning ]
[02:16:33] Checking '/etc/xinetd.d/talk' for enabled services [ Warning ]
[02:16:33] Checking '/etc/xinetd.d/telnet' for enabled services [ Warning ]
[02:16:33] Checking for enabled xinetd services [ Warning ]
[02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/cpimap
[02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ntalk
[02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/pop-3
[02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/talk
[02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/telnet


[02:17:14] Checking for SSH configuration file [ Found ]
[02:17:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
[02:17:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[02:17:15] Checking if SSH root access is allowed [ Warning ]
[02:17:15] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[02:17:15] Checking if SSH protocol v1 is allowed [ Warning ]
[02:17:15] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol v1.


[02:17:16] Performing filesystem checks
[02:17:16] Info: Starting test name 'filesystem'
[02:17:16] Info: SCAN_MODE_DEV set to 'THOROUGH'
[02:23:54] Checking /dev for suspicious file types [ Warning ]
[02:23:54] Warning: Suspicious files found in /dev:
[02:23:54] /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
[02:23:55] Checking for hidden files and directories [ Warning ]
[02:23:55] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, was "..1", from Unix, max compression
[02:23:55]



Is this bad?
or again just the normal output?