The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan on my server...

Discussion in 'General Discussion' started by flashsonix, Mar 22, 2005.

  1. flashsonix

    flashsonix Member

    Joined:
    Aug 30, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I need advice on this issue fast, please help me...


    WHM reported this...

    Hidden Pid detected! [pid 289]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/syslogd]

    Rebuilding Process List...Done

    Hidden Pid detected! [pid 388]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/usbd]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 436]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/sshd]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 459]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/cron]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 486]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/apache/bin/httpd]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 496]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/sbin/exim-4.43-1]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 498]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/sbin/exim-4.43-1]

    Rebuilding Process List...Done
    Hidden Pid detected! [pid 508]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/bin/perl]



    So I downloaded chkrootkit to make sure and the result was:

    Checking `amd'... not infected
    Checking `basename'... not infected
    Checking `biff'... not infected
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not infected
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not found
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not tested
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not tested
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not found
    Checking `mail'... not infected
    Checking `mingetty'... not found
    Checking `netstat'... not infected
    Checking `named'... not found
    Checking `passwd'... not infected
    Checking `pidof'... not found
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not found
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not infected
    Checking `rshd'... not infected
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not infected
    Checking `timed'... not infected
    Checking `traceroute'... not infected
    Checking `vdir'... not found
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
    /usr/lib/php/.registry
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for OBSD rk v1... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for Fu rootkit default files... nothing found
    Searching for ESRK rootkit default files... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'...

    At this point, the scan stopped. I am not sure if it was really finished though.

    Is there any possibility to fix the infected "bindshell" without having to reinstall the whole system?

    Thanks in advance guys!
     
    #1 flashsonix, Mar 22, 2005
    Last edited: Apr 20, 2007
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Flase positive. That always comes up.

    The part about the hidden PIDs is sometimes fixed by upgrading the kernel.

    Bottom line, I doubt you really have a trojan.
     
  3. flashsonix

    flashsonix Member

    Joined:
    Aug 30, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Thank you very much! I am really happy to hear that.

    However, to make sure, I ran rkhunter with the following result:



    Rootkit Hunter 1.2.1 is running

    Determining OS... Unknown
    Warning: This operating system is not fully supported!
    Warning: Cannot find md5_not_known
    All MD5 checks will be skipped!


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Skipped!


    Check rootkits
    * Default files and directories
    Rootkit '55808 Trojan - Variant A'... [ OK ]
    ADM Worm... [ OK ]
    Rootkit 'AjaKit'... [ OK ]
    Rootkit 'aPa Kit'... [ OK ]
    Rootkit 'Apache Worm'... [ OK ]
    Rootkit 'Ambient (ark) Rootkit'... [ OK ]
    Rootkit 'Balaur Rootkit'... [ OK ]
    Rootkit 'BeastKit'... [ OK ]
    Rootkit 'BOBKit'... [ OK ]
    Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
    Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
    Rootkit 'Devil RootKit'... [ OK ]
    Rootkit 'Dica'... [ OK ]
    Rootkit 'Dreams Rootkit'... [ OK ]
    Rootkit 'Duarawkz'... [ OK ]
    Rootkit 'Flea Linux Rootkit'... [ OK ]
    Rootkit 'FreeBSD Rootkit'... [ OK ]
    Rootkit '****`it Rootkit'... [ OK ]
    Rootkit 'GasKit'... [ OK ]
    Rootkit 'Heroin LKM'... [ OK ]
    Rootkit 'HjC Kit'... [ OK ]
    Rootkit 'ignoKit'... [ OK ]
    Rootkit 'ImperalsS-FBRK'... [ OK ]
    Rootkit 'Irix Rootkit'... [ OK ]
    Rootkit 'Kitko'... [ OK ]
    Rootkit 'Knark'... [ OK ]
    Rootkit 'Li0n Worm'... [ OK ]
    Rootkit 'Lockit / LJK2'... [ OK ]
    Rootkit 'MRK'... [ OK ]
    Rootkit 'Ni0 Rootkit'... [ OK ]
    Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
    Rootkit 'Optic Kit (Tux)'... [ OK ]
    Rootkit 'Oz Rootkit'... [ OK ]
    Rootkit 'Portacelo'... [ OK ]
    Rootkit 'R3dstorm Toolkit'... [ OK ]
    Rootkit 'RH-Sharpe's rootkit'... [ OK ]
    Rootkit 'RSHA's rootkit'... [ OK ]
    Sebek LKM [ OK ]
    Rootkit 'Scalper Worm'... [ OK ]
    Rootkit 'Shutdown'... [ OK ]
    Rootkit 'SHV4'... [ OK ]
    Rootkit 'SHV5'... [ OK ]
    Rootkit 'Sin Rootkit'... [ OK ]
    Rootkit 'Slapper'... [ OK ]
    Rootkit 'Sneakin Rootkit'... [ OK ]
    Rootkit 'Suckit Rootkit'... [ OK ]
    Rootkit 'SunOS Rootkit'... [ OK ]
    Rootkit 'Superkit'... [ OK ]
    Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
    Rootkit 'TeLeKiT'... [ OK ]
    Rootkit 'T0rn Rootkit'... [ OK ]
    Rootkit 'Trojanit Kit'... [ OK ]
    Rootkit 'Tuxtendo'... [ OK ]
    Rootkit 'URK'... [ OK ]
    Rootkit 'VcKit'... [ OK ]
    Rootkit 'Volc Rootkit'... [ OK ]
    Rootkit 'X-Org SunOS Rootkit'... [ OK ]
    Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

    * Suspicious files and malware
    Scanning for known rootkit strings [ OK ]
    Scanning for known rootkit files [ OK ]
    Testing running processes... [ Skipped ]
    Miscellaneous Login backdoors [ OK ]
    Miscellaneous directories [ OK ]
    Software related files [ OK ]
    Sniffer logs [ OK ]

    [Press <ENTER> to continue]
     
    #3 flashsonix, Mar 22, 2005
    Last edited: Apr 20, 2007
  4. flashsonix

    flashsonix Member

    Joined:
    Aug 30, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit [ Not found ]
    Checking /etc/inetd.conf [ Clean ]
    Checking /etc/xinetd.conf [ Skipped ]

    * Suspicious file properties
    chmod properties
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /usr/bin/netstat [ Clean ]
    Script replacements
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /usr/bin/netstat [ Clean ]

    * OS dependant tests
    FreeBSD
    Checking presence of KLD signatures [ OK ]
    Comparing output sockstat and netstat [ OK ]
    Checking packages database [ Please check ]


    Networking
    * Check: frequently used backdoors
    Port 2001: Scalper Rootkit [ OK ]
    Port 2006: CB Rootkit [ OK ]
    Port 2128: MRK [ OK ]
    Port 14856: Optic Kit (Tux) [ OK ]
    Port 47107: T0rn Rootkit [ OK ]
    Port 60922: zaRwT.KiT [ OK ]

    * Interfaces
    Scanning for promiscuous interfaces [ OK ]

    [Press <ENTER> to continue]



    System checks
    * Allround tests
    Checking hostname... Found. Hostname is [myhostname]
    Checking for passwordless user accounts... Skipped
    Checking for differences in user accounts... OK. No changes.
    Checking for differences in user groups... OK. No changes.
    Checking boot.local/rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ Not found ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    - /etc/conf.d/local.start [ Not found ]
    - /etc/init.d/boot.local [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    .................................
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ Not Found ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ Warning! ]
    ---------------
    /usr/.snap /etc/.whostmgrft
    ---------------
    Please inspect: /usr/.snap (directory)

    [Press <ENTER> to continue]



    Application advisories
    * Application scan
    Checking Apache2 modules ... [ Not found ]
    Checking Apache configuration ... [ OK ]

    * Application version scan
    - Exim MTA 4.43 [ Vulnerable ]
    - Exim MTA 4.43 [ Vulnerable ]
    - GnuPG 1.2.3 [ Vulnerable ]
    - OpenSSL 0.9.7c [ Vulnerable ]
    - OpenSSL 0.9.7d [ OK ]
    - PHP 4.3.9 [ Vulnerable ]
    - PHP 4.3.9 [ Vulnerable ]
    - OpenSSH 3.6.1p1 [ Vulnerable ]
    - OpenSSH 3.6.1 [ Vulnerable ]



    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
    info: toor:0
    admin:1001

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... [ OK (Remote root login disabled) ]
    Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
    Found /usr/local/etc/ssh/sshd_config
    Checking for allowed root login... [ OK (Remote root login disabled) ]
    Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

    * Check: Events and Logging
    Search for syslog configuration... [ OK ]
    Checking for running syslog slave... [ OK ]
    Checking for logging to remote system... [ OK (no remote logging) ]

    [Press <ENTER> to continue]



    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 0
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 8

    Scanning took 174 seconds




    Looks to me like there is really no infection. Can anyone confirm?

    Thanks guys!
     
    #4 flashsonix, Mar 22, 2005
    Last edited: Apr 20, 2007
  5. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Couple of things in there.

    I would look into the /usr/.snap directory adn see what is there. I do not have that on the machines I run.

    I would disable protocol 1 in sshd

    These I also found interesting:

    * Application version scan
    - Exim MTA 4.43 [ Vulnerable ]
    - Exim MTA 4.43 [ Vulnerable ]
    - GnuPG 1.2.3 [ Vulnerable ]
    - OpenSSL 0.9.7c [ Vulnerable ]
    - OpenSSL 0.9.7d [ OK ]
    - PHP 4.3.9 [ Vulnerable ]
    - PHP 4.3.9 [ Vulnerable ]
    - OpenSSH 3.6.1p1 [ Vulnerable ]
    - OpenSSH 3.6.1 [ Vulnerable ]

    And are probably worth checking to see if there is an update.

    PHP definaintely needs to be updated to 4.3.10.

    You might want to have someone take a close look at things. Your call though. Again, I doubt that you have a trojan, but you are probably not as secure as you should be.
     
Loading...

Share This Page