Trojan Horses detected on a clean install

mpkossen

Member
Jul 19, 2010
12
0
51
I've installed cPanel on a new, clean VPS (immediately after the OS was loaded) and after each ucpc run, I get the following e-mail:

Hidden Pid detected! [pid 1562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 12195]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12196]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12197]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12198]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12199]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12200]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12553]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12554]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12555]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12556]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12559]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12560]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12561]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 16914]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 20309]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]
I have already run chkrootkit and rkhunter, which both said not much was going on. I even reinstalled the server once (complete OS reload and reinstall of cPanel), but to no avail. I've search for a recent thread regarding this, but haven't found anything to ease my thoughts about this (most threads are over 4 years old and the recent ones haven't got the same affected applications).

Any idea if I should be worried and what might be causing this?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Is this the exact contents of the email? Could you post the header of the email as well?
 

mpkossen

Member
Jul 19, 2010
12
0
51
This the the full e-mail. I've removed my e-mail addresses and server name from the headers (replaced with placeholders):

Delivered-To: <e-mail>
Received: by 10.231.36.7 with SMTP id r7cs39320ibd;
Tue, 30 Aug 2011 19:16:34 -0700 (PDT)
Received: by 10.14.5.206 with SMTP id 54mr2315260eel.157.1314756993938;
Tue, 30 Aug 2011 19:16:33 -0700 (PDT)
Return-Path: <e-mail>
Received: from mail-ey0-f198.google.com (mail-ey0-f198.google.com [209.85.215.198])
by mx.google.com with ESMTPS id f49si1149389eec.181.2011.08.30.19.16.32
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.215.198 is neither permitted nor denied by best guess record for domain of <e-mail>) client-ip=209.85.215.198;
Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.215.198 is neither permitted nor denied by best guess record for domain of <e-mail>) smtp.mail=<e-mail>
Received: by eye22 with SMTP id 22sf125499eye.1
for <e-mail>; Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
Received: by 10.227.201.138 with SMTP id fa10mr128953wbb.7.1314756992237;
Tue, 30 Aug 2011 19:16:32 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: <e-mail>
Received: by 10.227.28.223 with SMTP id n31ls17632118wbc.1.gmail; Tue, 30 Aug
2011 19:16:31 -0700 (PDT)
Received: by 10.216.179.140 with SMTP id h12mr5976543wem.45.1314756991674;
Tue, 30 Aug 2011 19:16:31 -0700 (PDT)
Received: by 10.216.179.140 with SMTP id h12mr5976541wem.45.1314756991658;
Tue, 30 Aug 2011 19:16:31 -0700 (PDT)
Received: from <servername) (<servername> [<serverip>])
by mx.google.com with ESMTPS id k7si14879444weq.126.2011.08.30.19.16.30
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 30 Aug 2011 19:16:30 -0700 (PDT)
Received-SPF: neutral (google.com: 109.74.192.8 is neither permitted nor denied by best guess record for domain of <e-mail>) client-ip=109.74.192.8;
Received: from root by <servername> with local (Exim 4.69)
(envelope-from <e-mail>)
id 1QyaLt-0008GZ-J9; Tue, 30 Aug 2011 22:16:29 -0400
To: <e-mail>
To: <e-mail>
Subject: Trojan Horses Detected by (WHM) on <servername>
From: root <e-mail>
Message-Id: <[email protected]<servername>>
Date: Tue, 30 Aug 2011 22:16:29 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - <servername>
X-AntiAbuse: Original Domain - <domainname>
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - <servername>
X-Original-Sender: <e-mail>
X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com:
109.74.192.8 is neither permitted nor denied by best guess record for domain
of <e-mail>) smtp.mail=<e-mail>
Precedence: list
Mailing-list: list <e-mail>; contact <e-mail>
List-ID: <e-mail>
X-Google-Group-Id: 237803514198
List-Post: <e-mail>
List-Help: <e-mail>
List-Archive: <e-mail>
List-Unsubscribe: <e-mail>

Hidden Pid detected! [pid 1562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 1563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 12195]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12196]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12197]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12198]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12199]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12200]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/named]

Hidden Pid detected! [pid 12553]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12554]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12555]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12556]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12559]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12560]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12561]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12562]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 12563]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]

Hidden Pid detected! [pid 16914]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/rsyslogd (deleted)]

Hidden Pid detected! [pid 20309]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/sbin/mysqld]
 

ES - George

Well-Known Member
PartnerNOC
Jun 12, 2011
178
25
78
UK
cPanel Access Level
DataCenter Provider
Twitter
You must consider the possibility of false positives. I have several Trojan Horses apparently detected by WHM, one of which is a fresh installation of WHMCS, others which are the default versions of core system files.
 

mpkossen

Member
Jul 19, 2010
12
0
51
I was thinking the same, that it are all false positives. However, I'd like to be sure they are and if they are, they should not be detected as Trojans.