Results 1 to 15 of 15
  1. #1
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803

    Are these trojan horses?

    Hey. I ran a trojan horse check and found some files.

    Are any of these to be worried about? (i have taken out some of the dots)

    Appears Clean

    /dev/core
    /dev/stderr

    Scanning for Trojan Horses.....
    .


    Possible Trojan - /etc/cron.daily/logrotate
    .
    .


    Possible Trojan - /usr/bin/cpan
    .


    Possible Trojan - /usr/bin/instmodsh
    .
    .


    Possible Trojan - /usr/bin/prove
    .
    .

    Possible Trojan - /usr/bin/pstruct
    .
    .

    Possible Trojan - /usr/bin/splain

    6 POSSIBLE Trojans Detected
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  2. #2
    Join Date
    Jun 2004
    Posts
    525
    Very doubtful, if you want to know what these programs do i would recommend googling them.
    System Administrator

  3. #3
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    Ok. Thanks, I had a very nasty experience the other week with our server. (had to be reformatted) because of a trojan.

    Thanks,
    Nathaniel
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  4. #4
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    Should i be worried or not?
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  5. #5
    Have you got a spare server lying around?

    I ask because these are standard tools, and aren't the ones you'd think would be replaced after a compromise, but it's a scary warning and it'd be nice to be sure.

    Install your OS on another machine, update it to the same state as the machine in question, and compare the hashes of the programs on each server. If they match, then you're good to go.

  6. #6
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    I have asked other people on the cpanel forums and they have the same messages. Its to do with different OS
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  7. #7
    If it's a commonly reported problem, then I'd let it go.

    I'd install another program to monitor the binaries as well, and as I'm the paranoid sort I'd go ahead and check the hashes of the binaries anyway -- it might be something to get done in a week or so though.

    I'm just like that though.

  8. #8
    Join Date
    Dec 2006
    Posts
    68
    These are possibly false positives. Can you install chrootkit and rkhunter in the server

    ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz

    After running , if nothing found suspicious , not to worry anymore
    Reverse engineering Rocks

  9. #9
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    What are these tools?
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  10. #10
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    Are these cpanel addons?
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  11. #11
    Join Date
    Dec 2006
    Location
    Cardiff, Wales
    Posts
    803
    How do you install them?

    Thanks,
    Nathaniel
    SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/

  12. #12
    chkrootkit and rkhunter are not cPanel add-ons. They are stand-alone rootkit/malware detection apps which would have to be installed via SSH. However, it is good to have at least one of them installed on your server and to have a cron job set up so that your server is scanned daily for any malware.

  13. #13
    Join Date
    Dec 2006
    Posts
    68
    Installing chkrootkit

    1. SSH into your server
    2. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    3. tar -zxvf chkrootkit.tar.gz
    4. cd chkrootkit-0.47/
    5. make sense
    6. ./chkrootkit

    Installing Rkhunter

    1. wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
    2. tar -zxvf rkhunter-1.2.8.tar.gz
    3. cd rkhunter
    4. ./installer.sh
    5. /usr/local/bin/rkhunter -c

    Hope this helps!
    Reverse engineering Rocks

  14. #14
    For rkhunter, you might also want to run the following before running a scan so that the definitions are updated:
    /usr/local/bin/rkhunter --update

  15. #15
    Join Date
    May 2006
    Posts
    112
    I have heard of a tool called tripwire which is free and can keep track of binary file changes. But these binary files that register as possible trojans...what I would do is compare their checksum hashes with known good binaries from the same distro and revision...that will tell you if the binaries have been compromised or not.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •