Results 1 to 3 of 3
  1. #1
    Join Date
    Jun 2002
    Posts
    80

    Scan for Trojan Horses

    Hi all,

    I ran Scan for Trojan Horses from WHM and got these results:

    Possible Trojan - /usr/bin/gd2copypal
    .
    Possible Trojan - /usr/bin/gd2topng
    .
    Possible Trojan - /usr/bin/gdparttopng
    .
    Possible Trojan - /usr/bin/gdtopng
    .
    Possible Trojan - /usr/bin/pngtogd
    .
    Possible Trojan - /usr/bin/pngtogd2
    .
    Possible Trojan - /usr/bin/webpng

    Possible Trojan - /usr/bin/a2p

    Possible Trojan - /usr/bin/perl
    .
    Possible Trojan - /usr/bin/perl5.6.1
    .
    Possible Trojan - /usr/bin/perlbug
    .
    Possible Trojan - /usr/lib/libexpat.so.0.1.0
    .
    Possible Trojan - /usr/bin/GET
    .
    Possible Trojan - /usr/bin/HEAD
    .
    Possible Trojan - /usr/bin/POST
    .
    Possible Trojan - /usr/bin/lwp-download
    .
    Possible Trojan - /usr/bin/lwp-mirror
    .
    Possible Trojan - /usr/bin/lwp-request
    .
    Possible Trojan - /usr/bin/lwp-rget
    .
    Possible Trojan - /usr/sbin/imapd

    Possible Trojan - /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe

    Is this bad? What should I do to fix it?

    Thanks.

  2. #2
    Join Date
    Aug 2002
    Location
    Chicago, IL, United States
    Posts
    64
    looks like your scanner is wrong, or that you have been hacked and the attacker ran a rootkit of sorts.
    what program did you use to scan your computer? are you running tripwire, or anything that checks md5checksums on your computer to see if these files have been changed from their previous state?

    you may want to check out www.chkrootkit.org
    Anthony LaMantia
    http://www.bia-security.com

  3. #3
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    The "check for trojans" in WHM should really be labeled something else.

    All it does is verify RPMs that are installed.

    rpm -V

    Basically it's telling you that those files were installed by one of the RPMs that are installed, but that the file (MD5 or perms) no longer matches the one in the RPM.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •