Web Hosting Talk






PDA

View Full Version : Possible Trojan !! can you help me?

naif
07-15-2002, 12:01 AM
hi
i have Dedicated server with Nocster , i have no problem with Nocster , but i want ask u about one point
when i manage my server i did
Scan for Trojan Horses
i found :
-----------------------------------------------

Possible Trojan - /usr/bin/a2p

Possible Trojan - /usr/bin/perl

Possible Trojan - /usr/bin/perl5.6.1

Possible Trojan - /usr/bin/perlbug

Possible Trojan - /usr/lib/libexpat.so.0.1.0
.

Possible Trojan - /usr/bin/GET
.

Possible Trojan - /usr/bin/HEAD
.

Possible Trojan - /usr/bin/POST
.

Possible Trojan - /usr/bin/lwp-download
.

Possible Trojan - /usr/bin/lwp-mirror
.

Possible Trojan - /usr/bin/lwp-request
.

Possible Trojan - /usr/bin/lwp-rget

Possible Trojan - /usr/bin/curl
.

Possible Trojan - /usr/lib/libcurl.so.2.0.2
.

Possible Trojan - /usr/bin/curl-config
.
Possible Trojan - /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe
.
.
----------------------------------------------------------------

how can i remove these Trojan

i am very wory , i did this scan more than three time and i found same trojan , that mean there is no Auto remove for trojan
also , i dont no where are these files? how can i open it?

thank u for ur help

Naif
Techark
07-15-2002, 01:31 AM
Uh ok here is a quick suggestion, and I am not slamming you but do some reading, check the man files on your server to see what each one of those do on your server.

Believe me you do NOT want to be removing most of those.
The trojan scanner just scans for possible trojans, just becasue it list a file does mean it is a trojan..

I suggest you learn what the files on your system are.
DotComster
07-15-2002, 01:44 AM
Hi naif

I have never used Nocster, but I hear good thing of their support, it might be best if you try them first.

http://www.securityfocus.com
http://www.ibiblio.org

And every ones favorite:

http://www.chkrootkit.org/
clockwork
07-15-2002, 04:39 AM
Um..

The CPanel "trojan checking" script is comparing (correct me if i'm wrong) md5 checksums from the original install of redhat.

If you upgraded any of the software (or if CPanel upgraded, and failed to upgrade the checksum database) then the md5sums will be different, hence the warning.

I wouldn't really pay attention to it to be honest... install something more reliable such as LIDS/Tripwire.