Results 1 to 7 of 7
  1. #1

    I just ran my WHM Trojan scan...it goes not look good...can you take a look?

    Appears Clean


    /dev/core
    /dev/stderr


    Scanning for Trojan Horses.....

    Possible Trojan - /usr/lib/python1.5/site-packages/cgiwrap.pyc
    Possible Trojan - /usr/lib/python1.5/site-packages/xmlrpclib.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/bootloadercfg.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/checkbootloader.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/config.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/depSolver.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/gpgUtils.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/hardware.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/headers.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/iutil.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/lilo.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/lilocfg.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/packageList.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnChannel.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnDefines.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnErrata.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnHTTPlib.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnHardware.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rhnPackageInfo.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rpcServer.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rpmSource.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/rpmUtils.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/translate.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2date.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateAuth.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateBatch.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateErrors.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateLog.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateMessages.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/up2dateUtils.pyc
    Possible Trojan - /usr/share/rhn/up2date_client/wrapperUtils.pyc
    Possible Trojan - /usr/bin/pl2pm
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2text
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/s2p
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/lib/libcurl.so.2.0.2
    Possible Trojan - /usr/bin/curl-config

    41 POSSIBLE Trojans Detected

  2. #2
    Join Date
    Jul 2001
    Posts
    889

  3. #3
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,030
    Yeah, you'll always get results like that.

    Just have a server tech run some tests that are in WHM

    That would be a better indication of Trojans...
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  4. #4

    Any opinions?

    CHKROOTKIT OUTPUT
    ======================================================
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 118 process hidden for ps command
    Warning: Possible LKM Trojan installed


    NETSTAT -ta OUTPUT
    ================================================================
    [email protected] [/dev]# netstat -ta
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 *:imaps *:* LISTEN
    tcp 0 0 *:tcpmux *:* LISTEN
    tcp 0 0 *:2082 *:* LISTEN
    tcp 0 0 *:2083 *:* LISTEN
    tcp 0 0 *:pop3s *:* LISTEN
    tcp 0 0 *:2084 *:* LISTEN
    tcp 0 0 *:2086 *:* LISTEN
    tcp 0 0 *:2087 *:* LISTEN
    tcp 0 0 *:6666 *:* LISTEN
    tcp 0 0 *:mysql *:* LISTEN
    tcp 0 0 *:pop3 *:* LISTEN
    tcp 0 0 *:2095 *:* LISTEN
    tcp 0 0 *unrpc *:* LISTEN
    tcp 0 0 localhost:783 *:* LISTEN
    tcp 0 0 *:imap *:* LISTEN
    tcp 0 0 *:http *:* LISTEN
    tcp 0 0 *:2096 *:* LISTEN
    tcp 0 0 *mtps *:* LISTEN
    tcp 0 0 ns2.cheapassgame:domain *:* LISTEN
    tcp 0 0 server1.cheapass:domain *:* LISTEN
    tcp 0 0 localhost:domain *:* LISTEN
    tcp 0 0 *:ftp *:* LISTEN
    tcp 0 0 *sh *:* LISTEN
    tcp 0 0 localhost:rndc *:* LISTEN
    tcp 0 0 *mtp *:* LISTEN
    tcp 0 0 *:https *:* LISTEN
    tcp 0 0 server1.cheapassga:http user-10lfcj3.cabl:51145 ESTABLISHED
    tcp 0 0 server1.cheapassga:http user-10lfcj3.cabl:51139 ESTABLISHED
    tcp 0 0 server1.cheapassga:http pix-fw.wan.aol.co:22602 ESTABLISHED
    tcp 0 0 server1.cheapassga:http bgm-24-95-145-100.:2040 TIME_WAIT
    tcp 0 0 server1.cheapassga:http bgm-24-95-145-100.:2041 TIME_WAIT
    tcp 0 0 server1.cheapassga:http sfilafw1.smartand:65327 TIME_WAIT
    tcp 0 0 server1.cheapassga:http sfilafw1.smartand:65326 TIME_WAIT
    tcp 0 0 server1.cheapassga:http cache05.lax.untd.:11941 TIME_WAIT
    tcp 0 0 server1.cheapassga:http adsl-35-224-97.ms:56408 ESTABLISHED
    tcp 0 0 server1.cheapassga:http adsl-35-224-97.ms:56409 ESTABLISHED
    tcp 0 0 localhost:http localhost:48055 TIME_WAIT
    tcp 0 0 server1.cheapassga:http adsl-35-224-97.ms:56402 ESTABLISHED
    tcp 0 0 server1.cheapassga:http adsl-35-224-97.ms:56401 ESTABLISHED
    tcp 0 0 server1.cheapassga:http cache05.lax.untd.:11269 TIME_WAIT
    tcp 0 0 server1.cheapassga:http 88.41.33.65.cfl.rr:1740 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 88.41.33.65.cfl.rr:1733 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 130-127-59-160.gen:1201 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 130-127-59-160.gen:1200 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 130-127-59-160.gen:1213 ESTABLISHED
    tcp 0 0 localhost:48055 localhost:http TIME_WAIT
    tcp 0 1452 server1.cheapassga:http 130-127-59-160.gen:1212 ESTABLISHED
    tcp 0 0 server1.cheapassga:http px1wh.vc.shawcabl:50988 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3944 TIME_WAIT
    tcp 0 2404 server1.cheapassgamsh ool-18b96c6e.dyn.o:3303 ESTABLISHED
    tcp 0 0 server1.cheapassga:http nat-170-2-102.kin:48528 TIME_WAIT
    tcp 0 0 server1.cheapassga:http 198.160.77.17:27299 ESTABLISHED
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3958 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3959 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3959 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3960 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip-24-197-136-156.:3961 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip68-102-55-29.ks.:2846 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ma-plymouth-cad1-g:3339 TIME_WAIT
    tcp 0 0 server1.cheapassga:http pcp08562357pcs.alx:1620 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 24.238.71.3.cmts.:15556 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 208-40-31-37.corec:2172 TIME_WAIT
    tcp 0 0 server1.cheapassga:http pcp08562357pcs.alx:1622 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 24.238.71.3.cmts.:15554 ESTABLISHED
    tcp 0 0 server1.cheapassga:http ip68-102-55-29.ks.:2852 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip68-102-55-29.ks.:2871 TIME_WAIT
    tcp 0 0 server1.cheapassga:http pcp08562357pcs.alx:1613 ESTABLISHED
    tcp 0 0 server1.cheapassga:http adsl-67-36-58-192:18005 TIME_WAIT
    tcp 0 0 server1.cheapassga:http pcp08562357pcs.alx:1614 ESTABLISHED
    tcp 0 0 server1.cheapassga:http ip68-102-55-29.ks.:2878 TIME_WAIT
    tcp 0 0 server1.cheapassga:http 65.54.97.141:49708 TIME_WAIT
    tcp 0 0 server1.cheapassga:http 198.160.77.17:27131 ESTABLISHED
    tcp 0 0 server1.cheapassga:http px2wh.vc.shawcabl:40864 TIME_WAIT
    tcp 0 0 server1.cheapassga:http dhcp065-029-213-00:1511 ESTABLISHED
    tcp 0 0 server1.cheapassga:http dhcp065-029-213-00:1515 ESTABLISHED
    tcp 0 0 server1.cheapassga:http dhcp065-029-213-00:wins ESTABLISHED
    tcp 0 0 server1.cheapassga:http dhcp065-029-213-00:1516 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 198.160.77.17:26409 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip68-4-106-142.oc.:3528 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 198.160.77.17:26412 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip68-4-106-142.oc.:3570 ESTABLISHED
    tcp 0 0 server1.cheapassga:http h0002a5d68f62.ne.c:4662 TIME_WAIT
    tcp 0 0 server1.cheapassga:http h0002a5d68f62.ne.c:4729 TIME_WAIT
    tcp 0 0 server1.cheapassga:http h0002a5d68f62.ne.c:4730 TIME_WAIT
    tcp 0 0 server1.cheapassga:http px4wh.vc.shawcabl:57120 TIME_WAIT
    tcp 0 0 server1.cheapassga:http cpe-24-165-:datametrics ESTABLISHED
    tcp 0 0 server1.cheapassga:http cpe-24-165-a-msg-port ESTABLISHED
    tcp 0 0 server1.cheapassga:http D-128-208-46-58.dh:1903 TIME_WAIT
    tcp 0 0 server1.cheapassga:http ip68-4-106-142.oc.:3515 ESTABLISHED
    tcp 0 0 server1.cheapassga:http D-128-208-46-58.dh:1890 TIME_WAIT
    tcp 0 0 server1.cheapassga:http cpe-24-165-82-204.:1636 ESTABLISHED
    tcp 0 0 server1.cheapassga:http cpe-24-165-82-204.:1637 ESTABLISHED
    tcp 0 0 server1.cheapassga:http ip68-4-106-142.oc.:3516 ESTABLISHED
    tcp 0 4653 server1.cheapassga:http dialup-171.75.113.:4226 ESTABLISHED
    tcp 0 0 server1.cheapassga:http 65.54.97.141:49567 TIME_WAIT
    tcp 0 0 server1.cheapassga:http D-128-208-46-58.dh:1905 TIME_WAIT
    tcp 0 0 server1.cheapassga:http h0002a5d68f62.ne.c:4706 TIME_WAIT

  5. #5
    I'm also getting these strange spikes

    The ones at 6AM are expected, its the other ones that are confusing me.
    Attached Thumbnails Attached Thumbnails spikes.png  

  6. #6
    This guy is a friend of mine and I am trying to help him out. Any comments would be appreciated. We are a pretty popular site and in the past few days suddenly some Apache email messages have been sent saying that MaxClients has been reached and Apache has increased the number...then Apache dies. Server load spikes as high as 110!!!!

    4:34pm up 17:16, 2 users, load average: 91.83, 54.85, 26.84
    383 processes: 381 sleeping, 2 running, 0 zombie, 0 stopped
    CPU states: 45.7% user, 21.7% system, 0.0% nice, 32.4% idle
    Mem: 1025256K av, 997404K used, 27852K free, 0K shrd, 1800K buff
    Swap: 1048816K av, 130796K used, 918020K free 27100K cached

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
    29278 nobody 9 0 7528 7076 3672 S 12.1 0.6 0:01 httpd
    4 root 9 0 0 0 0 SW 3.9 0.0 0:26 kswapd
    29193 nobody 9 0 6764 6304 3612 S 3.9 0.6 0:01 httpd
    28199 root 14 0 1384 1356 848 R 3.7 0.1 0:08 top
    29026 nobody 9 0 6348 5872 3216 S 3.5 0.5 0:00 httpd
    29875 cheapas 9 0 2516 2516 1216 D 3.5 0.2 0:00 mt-search.cgi
    11412 nobody 9 0 9292 8784 3564 S 3.3 0.8 0:26 httpd
    29015 nobody 9 0 6864 6396 3192 S 3.1 0.6 0:00 httpd
    29475 nobody 9 0 7768 7320 4656 S 3.1 0.7 0:00 httpd
    29251 nobody 9 0 6764 6308 3644 S 2.8 0.6 0:00 httpd
    24439 nobody 9 0 7988 7520 3832 S 2.6 0.7 0:08 httpd
    28961 nobody 9 0 6208 5732 3216 S 2.6 0.5 0:00 httpd
    29804 mysql 9 0 48672 34M 5336 S 2.6 3.4 0:00 mysqld
    28951 nobody 9 0 6516 6040 3192 S 2.4 0.5 0:00 httpd
    29228 nobody 9 0 6612 6152 3652 S 2.4 0.6 0:00 httpd
    29297 nobody 9 0 6928 6468 3612 S 2.4 0.6 0:00 httpd
    28967 nobody 9 0 6360 5880 3192 S 2.2 0.5 0:00 httpd



    I cant seem to figure out what the real problem is. Most things I have tried have not worked out. Any help on how to pinpoint the problems would be greatly appreciated. He is on a rented dedicated server and the host (understandably) considers this our problem.
    Last edited by labrocca; 03-31-2004 at 05:40 PM.

  7. #7
    I would like to start figuring out what is NOT the problem...such as a hacker, ddos, or malicious script.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •