The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

'Trojan Horses Detected by WHM' - Real or Not

Discussion in 'General Discussion' started by metal_cd, Dec 16, 2007.

  1. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I have had this server for a while and never received and email alert from WHM before that stated 'Trojan Horses Detected by WHM'.
    I have searched and found that some say it is a false positive.
    But, I have not seen that others have had so many processes labeled as these hidden processes.

    Here is the email;
    Trojan Horses Detected by WHM
    Hidden Pid detected! (pid 24442)
    hidden from ps: (yes)
    hidden from kernal: (yes)


    I have chkrootkit installed and these are the results;

    (~/chkrootkit-0.47)# ./chkrootkit
    ROOTDIR is `/'
    ...(snip)...
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 2 process hidden for
    readdir command
    You have 14 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed



    (~/chkrootkit-0.47)# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    PID 3703: not in ps output
    CWD 3703: /
    EXE 3703: /usr/sbin/named
    PID 3704: not in ps output
    CWD 3704: /
    EXE 3704: /usr/sbin/named
    PID 3705: not in ps output
    CWD 3705: /
    EXE 3705: /usr/sbin/named
    PID 3706: not in ps output
    CWD 3706: /
    EXE 3706: /usr/sbin/named
    PID 5347: not in ps output
    CWD 5347: /var/lib/mysql
    EXE 5347: /usr/sbin/mysqld
    PID 5348: not in ps output
    CWD 5348: /var/lib/mysql
    EXE 5348: /usr/sbin/mysqld
    PID 5349: not in ps output
    CWD 5349: /var/lib/mysql
    EXE 5349: /usr/sbin/mysqld
    PID 5350: not in ps output
    CWD 5350: /var/lib/mysql
    EXE 5350: /usr/sbin/mysqld
    PID 5354: not in ps output
    CWD 5354: /var/lib/mysql
    EXE 5354: /usr/sbin/mysqld
    PID 5367: not in ps output
    CWD 5367: /var/lib/mysql
    EXE 5367: /usr/sbin/mysqld
    PID 5368: not in ps output
    CWD 5368: /var/lib/mysql
    EXE 5368: /usr/sbin/mysqld
    PID 5369: not in ps output
    CWD 5369: /var/lib/mysql
    EXE 5369: /usr/sbin/mysqld
    PID 5370: not in ps output
    CWD 5370: /var/lib/mysql
    EXE 5370: /usr/sbin/mysqld
    PID 5589: not in ps output
    CWD 5589: /var/lib/mysql
    EXE 5589: /usr/sbin/mysqld
    PID 24442(/proc/24442): not in getpriority readdir
    output
    PID 24443(/proc/24443): not in getpriority readdir
    output
    You have 2 process hidden for readdir command
    You have 14 process hidden for ps command



    Does this still look like a false positive?
    Like I said I never had this before. I ran chkrootkit several times and always receive the above results.

    Thank you for your input
     
  2. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Anyone?

    Thanks
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I don't get most of those either. Have you tried running rkhunter too?
     
  4. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Installed and ran rkhunter.
    Here are the results (just the warnings);

    [02:15:05] /bin/egrep [ Warning ]
    [02:15:05] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: Bourne shell script text executable
    [02:15:06] /bin/fgrep [ Warning ]
    [02:15:06] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: Bourne shell script text executable
    [02:15:14] /usr/bin/GET [ Warning ]
    [02:15:14] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
    [02:15:14] /usr/bin/groups [ Warning ]
    [02:15:14] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [02:15:16] /usr/bin/ldd [ Warning ]
    [02:15:16] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    [02:15:24] /usr/bin/whatis [ Warning ]
    [02:15:24] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    [02:15:26] /sbin/ifdown [ Warning ]
    [02:15:26] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    [02:15:27] /sbin/ifup [ Warning ]
    [02:15:27] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable


    Performing trojan specific checks
    [02:16:31] Info: Starting test name 'trojans'
    [02:16:31] Info: Using inetd configuration file '/etc/inetd.conf'
    [02:16:31] Checking for enabled inetd services [ Warning ]
    [02:16:32] Warning: Found enabled inetd service: telnet
    [02:16:32] Warning: Found enabled inetd service: talk
    [02:16:32] Warning: Found enabled inetd service: ntalk
    [02:16:32] Warning: Found enabled inetd service: imap
    [02:16:32] Performing check for enabled xinetd services
    [02:16:32] Checking '/etc/xinetd.d/cpimap' for enabled services [ Warning ]
    [02:16:32] Checking '/etc/xinetd.d/ntalk' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/pop-3' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/talk' for enabled services [ Warning ]
    [02:16:33] Checking '/etc/xinetd.d/telnet' for enabled services [ Warning ]
    [02:16:33] Checking for enabled xinetd services [ Warning ]
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/cpimap
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ntalk
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/pop-3
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/talk
    [02:16:33] Warning: Found enabled xinetd service: /etc/xinetd.d/telnet


    [02:17:14] Checking for SSH configuration file [ Found ]
    [02:17:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
    [02:17:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
    [02:17:15] Checking if SSH root access is allowed [ Warning ]
    [02:17:15] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
    The default value may be 'yes', to allow root access.
    [02:17:15] Checking if SSH protocol v1 is allowed [ Warning ]
    [02:17:15] Warning: The SSH configuration option 'Protocol' has not been set.
    The default value may be '2,1', to allow the use of protocol v1.


    [02:17:16] Performing filesystem checks
    [02:17:16] Info: Starting test name 'filesystem'
    [02:17:16] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [02:23:54] Checking /dev for suspicious file types [ Warning ]
    [02:23:54] Warning: Suspicious files found in /dev:
    [02:23:54] /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
    [02:23:55] Checking for hidden files and directories [ Warning ]
    [02:23:55] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, was "..1", from Unix, max compression
    [02:23:55]



    Is this bad?
    or again just the normal output?
     

Share This Page