Trojan Horses detected on a clean install

[mpkossen]

I've installed cPanel on a new, clean VPS (immediately after the OS was loaded) and after each ucpc run, I get the following e-mail:

Hidden Pid detected! [pid 1562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 12195]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12196]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12197]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12198]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12199]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12200]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12553]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12554]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12555]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12556]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12559]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12560]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12561]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 16914]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 20309]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

I have already run chkrootkit and rkhunter, which both said not much was going on. I even reinstalled the server once (complete OS reload and reinstall of cPanel), but to no avail. I've search for a recent thread regarding this, but haven't found anything to ease my thoughts about this (most threads are over 4 years old and the recent ones haven't got the same affected applications).

Any idea if I should be worried and what might be causing this?

 

[cPanelTristan]

Is this the exact contents of the email? Could you post the header of the email as well?

 

[mpkossen]

This the the full e-mail. I've removed my e-mail addresses and server name from the headers (replaced with placeholders):

Delivered-To: <e-mail>
Received: by 10.231.36.7 with SMTP id r7cs39320ibd;
Tue, 30 Aug 2011 19:16:34 -0700 (PDT)
Received: by 10.14.5.206 with SMTP id 54mr2315260eel.157.1314756993938;
Tue, 30 Aug 2011 19:16:33 -0700 (PDT)
Return-Path: <e-mail>
Received: from mail-ey0-f198.google.com (mail-ey0-f198.google.com [209.85.215.198])
by mx.google.com with ESMTPS id f49si1149389eec.181.2011.08.30.19.16.32
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.215.198 is neither permitted nor denied by best guess record for domain of <e-mail>) client-ip=209.85.215.198;
Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.215.198 is neither permitted nor denied by best guess record for domain of <e-mail>) smtp.mail=<e-mail>
Received: by eye22 with SMTP id 22sf125499eye.1
for <e-mail>; Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
Received: by 10.227.201.138 with SMTP id fa10mr128953wbb.7.1314756992237;
Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: <e-mail>
Received: by 10.227.28.223 with SMTP id n31ls17632118wbc.1.gmail; Tue, 30 Aug
2011 19:16:31 -0700 (PDT)
Received: by 10.216.179.140 with SMTP id h12mr5976543wem.45.1314756991674;
Tue, 30 Aug 2011 19:16:31 -0700 (PDT)
Received: by 10.216.179.140 with SMTP id h12mr5976541wem.45.1314756991658;
Tue, 30 Aug 2011 19:16:31 -0700 (PDT)
Received: from <servername) (<servername> [<serverip>])
by mx.google.com with ESMTPS id k7si14879444weq.126.2011.08.30.19.16.30
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 30 Aug 2011 19:16:30 -0700 (PDT)
Received-SPF: neutral (google.com: 109.74.192.8 is neither permitted nor denied by best guess record for domain of <e-mail>) client-ip=109.74.192.8;
Received: from root by <servername> with local (Exim 4.69)
(envelope-from <e-mail>)
id 1QyaLt-0008GZ-J9; Tue, 30 Aug 2011 22:16:29 -0400
To: <e-mail>
To: <e-mail>
Subject: Trojan Horses Detected by (WHM) on <servername>
From: root <e-mail>
Message-Id: <[email protected]<servername>>
Date: Tue, 30 Aug 2011 22:16:29 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - <servername>
X-AntiAbuse: Original Domain - <domainname>
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - <servername>
X-Original-Sender: <e-mail>
X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com:
109.74.192.8 is neither permitted nor denied by best guess record for domain
of <e-mail>) smtp.mail=<e-mail>
Precedence: list
Mailing-list: list <e-mail>; contact <e-mail>
List-ID: <e-mail>
X-Google-Group-Id: 237803514198
List-Post: <e-mail>
List-Help: <e-mail>
List-Archive: <e-mail>
List-Unsubscribe: <e-mail>

Hidden Pid detected! [pid 1562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 12195]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12196]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12197]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12198]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12199]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12200]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12553]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12554]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12555]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12556]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12559]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12560]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12561]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 16914]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 20309]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

 

[ES - George]

You must consider the possibility of false positives. I have several Trojan Horses apparently detected by WHM, one of which is a fresh installation of WHMCS, others which are the default versions of core system files.

 

[mpkossen]

I was thinking the same, that it are all false positives. However, I'd like to be sure they are and if they are, they should not be detected as Trojans.