Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

'Trojan Horses Detected by WHM' - Real or Not

Discussion in 'General Discussion' started by metal_cd, Dec 16, 2007.

  1. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    I have had this server for a while and never received and email alert from WHM before that stated 'Trojan Horses Detected by WHM'.
    I have searched and found that some say it is a false positive.
    But, I have not seen that others have had so many processes labeled as these hidden processes.

    Here is the email;
    Trojan Horses Detected by WHM
    Hidden Pid detected! (pid 24442)
    hidden from ps: (yes)
    hidden from kernal: (yes)


    I have chkrootkit installed and these are the results;

    (~/chkrootkit-0.47)# ./chkrootkit
    ROOTDIR is `/'
    ...(snip)...
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 2 process hidden for
    readdir command
    You have 14 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed



    (~/chkrootkit-0.47)# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    PID 3703: not in ps output
    CWD 3703: /
    EXE 3703: /usr/sbin/named
    PID 3704: not in ps output
    CWD 3704: /
    EXE 3704: /usr/sbin/named
    PID 3705: not in ps output
    CWD 3705: /
    EXE 3705: /usr/sbin/named
    PID 3706: not in ps output
    CWD 3706: /
    EXE 3706: /usr/sbin/named
    PID 5347: not in ps output
    CWD 5347: /var/lib/mysql
    EXE 5347: /usr/sbin/mysqld
    PID 5348: not in ps output
    CWD 5348: /var/lib/mysql
    EXE 5348: /usr/sbin/mysqld
    PID 5349: not in ps output
    CWD 5349: /var/lib/mysql
    EXE 5349: /usr/sbin/mysqld
    PID 5350: not in ps output
    CWD 5350: /var/lib/mysql
    EXE 5350: /usr/sbin/mysqld
    PID 5354: not in ps output
    CWD 5354: /var/lib/mysql
    EXE 5354: /usr/sbin/mysqld
    PID 5367: not in ps output
    CWD 5367: /var/lib/mysql
    EXE 5367: /usr/sbin/mysqld
    PID 5368: not in ps output
    CWD 5368: /var/lib/mysql
    EXE 5368: /usr/sbin/mysqld
    PID 5369: not in ps output
    CWD 5369: /var/lib/mysql
    EXE 5369: /usr/sbin/mysqld
    PID 5370: not in ps output
    CWD 5370: /var/lib/mysql
    EXE 5370: /usr/sbin/mysqld
    PID 5589: not in ps output
    CWD 5589: /var/lib/mysql
    EXE 5589: /usr/sbin/mysqld
    PID 24442(/proc/24442): not in getpriority readdir
    output
    PID 24443(/proc/24443): not in getpriority readdir
    output
    You have 2 process hidden for readdir command
    You have 14 process hidden for ps command



    Does this still look like a false positive?
    Like I said I never had this before. I ran chkrootkit several times and always receive the above results.

    Thank you for your input
     
  2. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    Anyone?

    Thanks
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    870
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I don't get most of those either. Have you tried running rkhunter too?
     
  4. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    Installed and ran rkhunter.
    Here are the results (just the warnings);

    [02:15:05] /bin/egrep [ Warning ]
    [02:15:05] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: Bourne shell script text executable
    [02:15:06] /bin/fgrep [ Warning ]
    [02:15:06] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: Bourne shell script text executable
    [02:15:14] /usr/bin/GET [ Warning ]
    [02:15:14] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
    [02:15:14] /usr/bin/groups [ Warning ]
    [02:15:14] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [02:15:16] /usr/bin/ldd [ Warning ]
    [02:15:16] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    [02:15:24] /usr/bin/whatis [ Warning ]
    [02:15:24] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    [02:15:26] /sbin/ifdown [ Warning ]
    [02:15:26] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    [02:15:27] /sbin/ifup [ Warning ]
    [02:15:27] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable


    Performing trojan specific checks
    [02:16:31] Info: Starting test name 'trojans'
    [02:16:31] Info: Using inetd configuration file '/etc/inetd.conf'
    [02:16:31] Checking for enabled inetd services [ Warning ]
    [02:16:32] Warning: Found enabled inetd service: telnet
    [02:16:32] Warning: Found enabled inetd service: talk
    [02:16:32] Warning: Found enabled inetd service: ntalk
    [02:16:32] Warning: Found enabled inetd service: imap
    [02:16:32] Performing check for enabled xinetd services
    [02:16:32] Checking '/etc/xinetd.d/cpimap' for enabled services [ Warning ]
    [02:16:32] Checking '/etc/xinetd.d/ntalk' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/pop-3' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/talk' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/telnet' for enabled services [ Warning ]
    [02:16:33] Checking for enabled xinetd services [ Warning ]
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/cpimap
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ntalk
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/pop-3
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/talk
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/telnet


    [02:17:14] Checking for SSH configuration file [ Found ]
    [02:17:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
    [02:17:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
    [02:17:15] Checking if SSH root access is allowed [ Warning ]
    [02:17:15] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
    The default value may be 'yes', to allow root access.
    [02:17:15] Checking if SSH protocol v1 is allowed [ Warning ]
    [02:17:15] Warning: The SSH configuration option 'Protocol' has not been set.
    The default value may be '2,1', to allow the use of protocol v1.


    [02:17:16] Performing filesystem checks
    [02:17:16] Info: Starting test name 'filesystem'
    [02:17:16] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [02:23:54] Checking /dev for suspicious file types [ Warning ]
    [02:23:54] Warning: Suspicious files found in /dev:
    [02:23:54] /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
    [02:23:55] Checking for hidden files and directories [ Warning ]
    [02:23:55] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, was "..1", from Unix, max compression
    [02:23:55]



    Is this bad?
    or again just the normal output?
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice