Trojan Horses Detected by (WHM)

Are you running a stable or release/edge version ?

I am running Release on Fedora and last week all three servers started doing the same thing you are describing, so it's most likely a false alarm. Just curious if we are using similar software revisions ?!?

 

same problem...

WHM 8.6.0 cPanel 8.7.0-R104
RedHat Enterprise 3 - WHM X v2.1.2

anyone know about this?

 

Same Problems Here:

WHM 8.5.1
Cpanel 8.5.3-S3

 

same here: WHM 8.8.0 cPanel 8.8.0-R05
RedHat Enterprise 3 - WHM X v2.1.2

 

but *NOT* on WHM 8.8.0 cPanel 8.8.0-R10
RedHat Enterprise 3 - WHM X v2.1.2 ... at least not so far...

correction:

I did not get the automatic message after I upgraded to cPanel 8.8.0 R10 BUT I got all those "possible trojan detected" messages when I started the Security/Scan for Trojan Horses test....:

 

WHM 8.8.0 cPanel 8.8.0-R63
Fedora - WHM X v2.1.2


Started simply when I installed Fedora.

 

I had the identical problem. I deleted the 'named' file then reinstalled bind and all the messages stopped.

 

It's not really a trojan, and you probably shouldn't have deleted the named file. Don't trust or rely on WHM's trojan scan, get chkrootkit & use that instead. It takes about 30 seconds, and is actually accurate.

- Matt

 

I got a bunch saying the same thing:

Hidden Pid detected! [pid 25500]
hidden from ps: [yes]
binary location: [/usr/bin/stunnel-4.04local]

Hidden Pid detected! [pid 25923]
hidden from ps: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 26010]
hidden from ps: [yes]
binary location: [/usr/sbin/mysqld]


I got probably about 4 named and 6 sql pids detected each time, and its starting to get anoying that it keeps sendnig me emails about it when It should know these are not trojans. I just got my OS installed the other day (yesterday I think) and its already coming up with this?

Just kinda funny I guess.