Results 1 to 15 of 15
Thread: Are these trojan horses?
-
01-02-2007, 04:04 PM #1Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
Are these trojan horses?
Hey. I ran a trojan horse check and found some files.
Are any of these to be worried about? (i have taken out some of the dots)
Appears Clean
/dev/core
/dev/stderr
Scanning for Trojan Horses.....
.
Possible Trojan - /etc/cron.daily/logrotate
.
.
Possible Trojan - /usr/bin/cpan
.
Possible Trojan - /usr/bin/instmodsh
.
.
Possible Trojan - /usr/bin/prove
.
.
Possible Trojan - /usr/bin/pstruct
.
.
Possible Trojan - /usr/bin/splain
6 POSSIBLE Trojans DetectedSIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-02-2007, 04:16 PM #2Web Hosting Evangelist
- Join Date
- Jun 2004
- Posts
- 525
Very doubtful, if you want to know what these programs do i would recommend googling them.
System Administrator
-
01-02-2007, 04:18 PM #3Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
Ok. Thanks, I had a very nasty experience the other week with our server. (had to be reformatted) because of a trojan.
Thanks,
NathanielSIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-02-2007, 07:38 PM #4Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
Should i be worried or not?
SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-02-2007, 08:37 PM #5WHT Addict
- Join Date
- May 2005
- Posts
- 147
Have you got a spare server lying around?
I ask because these are standard tools, and aren't the ones you'd think would be replaced after a compromise, but it's a scary warning and it'd be nice to be sure.
Install your OS on another machine, update it to the same state as the machine in question, and compare the hashes of the programs on each server. If they match, then you're good to go.
-
01-02-2007, 08:39 PM #6Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
I have asked other people on the cpanel forums and they have the same messages. Its to do with different OS
SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-02-2007, 08:42 PM #7WHT Addict
- Join Date
- May 2005
- Posts
- 147
If it's a commonly reported problem, then I'd let it go.
I'd install another program to monitor the binaries as well, and as I'm the paranoid sort I'd go ahead and check the hashes of the binaries anyway -- it might be something to get done in a week or so though.
I'm just like that though.
-
01-03-2007, 10:20 AM #8Junior Guru Wannabe
- Join Date
- Dec 2006
- Posts
- 68
These are possibly false positives. Can you install chrootkit and rkhunter in the server
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
After running , if nothing found suspicious , not to worry anymoreReverse engineering Rocks
-
01-03-2007, 10:21 AM #9Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
What are these tools?
SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-03-2007, 10:23 AM #10Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
Are these cpanel addons?
SIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-03-2007, 10:29 AM #11Web Hosting Master
- Join Date
- Dec 2006
- Location
- Cardiff, Wales
- Posts
- 803
How do you install them?
Thanks,
NathanielSIP Trunking and VoIP Lines, Numbering (DIDs and DDIs), Low Cost Minute add-ons, Secure SIP and VoIP. Business and Enterprise Grade Quality, Low Cost and Highly Competitive. Available at: https://www.voipyonder.com/
-
01-03-2007, 10:30 AM #12Newbie
- Join Date
- Jan 2007
- Posts
- 9
chkrootkit and rkhunter are not cPanel add-ons. They are stand-alone rootkit/malware detection apps which would have to be installed via SSH. However, it is good to have at least one of them installed on your server and to have a cron job set up so that your server is scanned daily for any malware.
-
01-03-2007, 10:35 AM #13Junior Guru Wannabe
- Join Date
- Dec 2006
- Posts
- 68
Installing chkrootkit
1. SSH into your server
2. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. tar -zxvf chkrootkit.tar.gz
4. cd chkrootkit-0.47/
5. make sense
6. ./chkrootkit
Installing Rkhunter
1. wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
2. tar -zxvf rkhunter-1.2.8.tar.gz
3. cd rkhunter
4. ./installer.sh
5. /usr/local/bin/rkhunter -c
Hope this helps!Reverse engineering Rocks
-
01-03-2007, 10:37 AM #14Newbie
- Join Date
- Jan 2007
- Posts
- 9
For rkhunter, you might also want to run the following before running a scan so that the definitions are updated:
/usr/local/bin/rkhunter --update
-
01-03-2007, 01:48 PM #15WHT Addict
- Join Date
- May 2006
- Posts
- 112
I have heard of a tool called tripwire which is free and can keep track of binary file changes. But these binary files that register as possible trojans...what I would do is compare their checksum hashes with known good binaries from the same distro and revision...that will tell you if the binaries have been compromised or not.