Trojan Horses Detected by (WHM)

DreamPhysix · Dec 24, 2011

I received an email from my cpanel server titled Trojan Horses Detected by (WHM) containing the following:

Hidden Pid detected! [pid 1876]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]

Hidden Pid detected! [pid 1877]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]

Hidden Pid detected! [pid 1897]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 1898]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 1899]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 1900]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 1901]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 1902]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 2002]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2003]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2004]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2005]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2007]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2008]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2009]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2010]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 2011]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 28432]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/clamd]

Hidden Pid detected! [pid 29598]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 30401]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 30408]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 30430]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd]

This installation of cpanel is new so these are false positives. how do i fix this?

quietFinn · Dec 25, 2011

What are cPanel/WHM, OS & kernel versions?

DreamPhysix · Dec 25, 2011

CentOS 6.2 64-bit, kernel 3.0.4-x86_64-linode21, WHM 11.30.5 (build 3)

quietFinn · Dec 25, 2011

DreamPhysix said:
CentOS 6.2 64-bit, kernel 3.0.4-x86_64-linode21, WHM 11.30.5 (build 3)

It's probably that kernel 3.0.x causing troubles, check this thread:
http://forums.cpanel.net/f5/trojan-...fresh-install-cpanel-case-55852-a-238021.html

Thread starter	Similar threads	Forum	Replies	Date
P	Disabling "Trojan Horses Detected" daily e-mail	Security	6	Nov 5, 2011
D	Trojan Horses Detected by (WHM) after fresh install of cPanel [case 55852]	Security	8	Oct 13, 2011
M	Trojan Horses detected on a clean install	Security	4	Aug 31, 2011
B	"Trojan Horses Detected" but only rsyslogd and mysqld. New server, scans shows clean	Security	2	Aug 30, 2011
M	'Trojan Horses Detected by WHM' - Real or Not	Security	3	Dec 16, 2007

Search

Search

Trojan Horses Detected by (WHM)

DreamPhysix

Well-Known Member

quietFinn

Well-Known Member

DreamPhysix

Well-Known Member

quietFinn

Well-Known Member