-
Are these trojan horses?
Hey. I ran a trojan horse check and found some files.
Are any of these to be worried about? (i have taken out some of the dots)
Appears Clean
/dev/core
/dev/stderr
Scanning for Trojan Horses.....
.
Possible Trojan - /etc/cron.daily/logrotate
.
.
Possible Trojan - /usr/bin/cpan
.
Possible Trojan - /usr/bin/instmodsh
.
.
Possible Trojan - /usr/bin/prove
.
.
Possible Trojan - /usr/bin/pstruct
.
.
Possible Trojan - /usr/bin/splain
6 POSSIBLE Trojans Detected
-
Very doubtful, if you want to know what these programs do i would recommend googling them.
-
Ok. Thanks, I had a very nasty experience the other week with our server. (had to be reformatted) because of a trojan.
Thanks,
Nathaniel
-
Should i be worried or not?
-
Have you got a spare server lying around?
I ask because these are standard tools, and aren't the ones you'd think would be replaced after a compromise, but it's a scary warning and it'd be nice to be sure. ;)
Install your OS on another machine, update it to the same state as the machine in question, and compare the hashes of the programs on each server. If they match, then you're good to go.
-
I have asked other people on the cpanel forums and they have the same messages. Its to do with different OS
-
If it's a commonly reported problem, then I'd let it go.
I'd install another program to monitor the binaries as well, and as I'm the paranoid sort I'd go ahead and check the hashes of the binaries anyway -- it might be something to get done in a week or so though.
I'm just like that though. :)
-
These are possibly false positives. Can you install chrootkit and rkhunter in the server
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
After running , if nothing found suspicious , not to worry anymore
-
-
-
How do you install them?
Thanks,
Nathaniel
-
chkrootkit and rkhunter are not cPanel add-ons. They are stand-alone rootkit/malware detection apps which would have to be installed via SSH. However, it is good to have at least one of them installed on your server and to have a cron job set up so that your server is scanned daily for any malware.
-
Installing chkrootkit
1. SSH into your server
2. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. tar -zxvf chkrootkit.tar.gz
4. cd chkrootkit-0.47/
5. make sense
6. ./chkrootkit
Installing Rkhunter
1. wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
2. tar -zxvf rkhunter-1.2.8.tar.gz
3. cd rkhunter
4. ./installer.sh
5. /usr/local/bin/rkhunter -c
Hope this helps!
-
For rkhunter, you might also want to run the following before running a scan so that the definitions are updated:
/usr/local/bin/rkhunter --update
-
I have heard of a tool called tripwire which is free and can keep track of binary file changes. But these binary files that register as possible trojans...what I would do is compare their checksum hashes with known good binaries from the same distro and revision...that will tell you if the binaries have been compromised or not.