Results 1 to 8 of 8
  1. #1
    Join Date
    Jul 2004
    Posts
    873

    Trojan Horses Detected by (WHM) on server.domain.com

    hi
    is this a trojan ?

    Hidden Pid detected! [pid 19147]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Hidden Pid detected! [pid 19148]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Hidden Pid detected! [pid 19149]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

    Hidden Pid detected! [pid 19150]
    hidden from ps: [yes]
    binary location: [/usr/sbin/named]

  2. #2
    Join Date
    Jul 2004
    Posts
    873
    Rootkit Hunter
    File scan
    Scanned files: 309
    Possible infected files: 0
    Possible rootkits:

    Scanning took 20 seconds


    chkrootkit:
    Checking `bindshell'... warning, got bogus tcp line.
    INFECTED (PORTS: 465)

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    The trojan horse detector in WHM should be removed, it always gives false positives. The bindshell is normal for cPanel if you do a quick search you can find a lot of references about it.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Jul 2004
    Posts
    873
    i again received that email ,
    but there is other problem , yesterday when i was checking one of my old site , i see some one added a index.html file in there and site defaced !

    this server is not shared ,
    that person just added a index.html file.
    i am useing last firewall and antutrojans that checking every 24 hours ,
    ssh on normal ip port and root disabled
    & & &

    so how that person added that file ?
    in which log i can find that ?

  5. #5
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    I've seen you ask alot of questions about administrating a server on this forum, as well as wht irc. You should hire a server administrator.

    While you have someone else administrating the server, setup a local machine for learning. Then once you're confident in your abilities, start administrating your own server again.

  6. #6
    Join Date
    Jul 2004
    Posts
    873
    thanks mikeylove
    but i am a wealthy man and i wana test/learn linux on real server !

    you have problem with this ?!

  7. #7
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Yes, you are a liability to the internet.

  8. #8
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    If you are wealthy your time is worth more then hiring somebody. As far as how they got in, you coudl check the apache logs and messages logs but it will probably take awhile to find. Just because everything is updated does not mean that your system cannot be hacked, in fact it is far from it. There is a lot of information if you search around for how to tweak the system to help prevent these types of things.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •