The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan Horses Detected by (WHM)... ?

Discussion in 'General Discussion' started by brianteeter, May 5, 2003.

  1. brianteeter

    brianteeter Well-Known Member

    Joined:
    Jan 6, 2002
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    We're starting to see this from one of our servers...

    Hidden Pid detected! [pid 334]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/init2.4.18 (deleted)]


    chkrootkit reports nothing other than the standard Port 465 error due to PortSentry. Is there something we should be looking for? Has anyone run into this before?

    Thanks - Brian
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Try this. In ssh type init

    You should this, Usage: init 0123456SsQqAaBbCcUu

    If you see other wise the system has been comprimised. The init file you'll probably end up seeing will have an option to unhide pids etc...

    Check there first.

    Also another really simple way to catch the kiddie hackers, is to grep through /usr/bin /usr/sbin /bin /sbin lookinf for the work "****" all in caps. That is one of the strings found in a lot of hackers programs.

    That would be the start.
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Also check in /usr/man for a hidden directory, I think it was called .sman
     
  4. brianteeter

    brianteeter Well-Known Member

    Joined:
    Jan 6, 2002
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    No hidden directories, at least not there. I also looked in /dev - as I've seen script kiddies use that folder too.

    Also, init produces the correct output when run, and no hidden processes...

    I wonder if this could be a CPanel bug or something?

    Thanks - Brian
     

Share This Page