Results 1 to 11 of 11
  1. #1

    Trojan Horses Detected by (WHM)

    Hidden Pid detected! [pid 197]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/adjkerntz]



    What is it? How did I get it? How can I get rid of it ?

  2. #2
    Have you run chkrootkit?
    Hendrick Networks - Technical, Security and Connectivity Solutions Built on T.R.U.S.T

  3. #3
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299

  4. #4
    Try to run chkrootkit and rkhunter. Most cases these alerts will be false positives

  5. #5
    Checking `lkm'... You have 4 process hidden for readdir command
    You have 4 process hidden for ps command
    Warning: Possible LKM Trojan installed
    Checking `rexedcs'... not found
    Checking `sniffer'... fxp0 is not promisc
    Checking `w55808'... not infected
    Checking `wted'... nothing deleted
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... nothing deleted


    this is what ckrootkit says

  6. #6
    Now please enter the directory of chkrootkit and execute these commands

    ./chkroot -x lkm
    ./chkproc -v -v

  7. #7
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    most likely you've got a trojan on your server, if chkrootkit reports back that info. You'll need to go through and check your binaries against known checksums to make sure they're what they should be. If they don't match, then it's time to have everything backed up and reinstalled, because if you've got a trojan, then most likely someone's got root access which means that you can't rely on your server at all.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  8. #8
    Odd. Its does not seem to be there now. I just got in from work and here is what I have


    Checking `amd'... not infected
    Checking `basename'... not infected
    Checking `biff'... not infected
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not infected
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not found
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not infected
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not tested
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not found
    Checking `mail'... not infected
    Checking `mingetty'... not found
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not found
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not found
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not infected
    Checking `rshd'... not infected
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not infected
    Checking `timed'... not infected
    Checking `traceroute'... not infected
    Checking `vdir'... not found
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
    /usr/lib/php/.registry
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for OBSD rk v1... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for Madalin rootkit default files... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `lkm'... nothing detected
    Checking `rexedcs'... not found
    Checking `sniffer'... fxp0 is not promisc
    Checking `w55808'... not infected
    Checking `wted'... nothing deleted
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... nothing deleted


    whats the deal ?

  9. #9
    now its back again. I dont get it

  10. #10
    Hidden Pid detected! [pid 197]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/adjkerntz]

    Hidden Pid detected! [pid 261]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/devd]

    Hidden Pid detected! [pid 281]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/syslogd]

    Hidden Pid detected! [pid 428]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/sbin/cron]

    Hidden Pid detected! [pid 641]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/local/libexec/proftpd]

    Hidden Pid detected! [pid 761]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/bin/sh]


    ggrrrrrrrrrrrr...How do I get rid of this ? I dont have the cash to dish out.

  11. #11
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    You've been hacked if it keeps showing up and disapearing like that, no question. At this point, you need to make a backup of all the sites on the server, and ask for a reformat, or pay someone to look over your server.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •