The Planet Forums > trojan horses detected by whm?

Full Version: trojan horses detected by whm?

The Planet Forums > Security > General Security > UNIX Security

Xia

Mar 13 2004, 06:28 AM

I just updated WHM since it issued some kind of password reset vulnerability, and received this email after the update:

CODE

Subject: Trojan Horses Detected by (WHM)

Hidden Pid detected! [pid 29261]

hidden from ps: [yes]

binary location: [/usr/bin/stunnel-4.04local]

Hidden Pid detected! [pid 31275]

hidden from ps: [yes]

binary location: [/usr/bin/stunnel-4.04local]

Is this a false positive? Hope so..

FarCry

Mar 13 2004, 10:27 AM

there is a bug going round cpanel systems, its called "cpanel's bad coding allows root access to anyone".

You my want to run chkrootkit. you can get it here:
http://www.chkrootkit.org/

Xia

Mar 13 2004, 10:33 AM

This is the output :

CODE

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not infected

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not infected

Checking `mingetty'... not infected

Checking `netstat'... not infected

Checking `named'... not infected

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not infected

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not infected

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/Net/.packlist /usr/lib/perl5/5.8.1/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.8.1/i686-linux/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap

/usr/lib/php/.registry

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for LOC rootkit ... nothing found

Searching for Romanian rootkit ... nothing found

Searching for HKRK rootkit ... nothing found

Searching for Suckit rootkit ... nothing found

Searching for Volc rootkit ... nothing found

Searching for Gold2 rootkit ... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... INFECTED (PORTS: 465)

Checking `lkm'... nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... /proc/26273/fd: No such file or directory

eth0: PF_PACKET(/usr/sbin/snort-plain)

eth0:1: PF_PACKET(/usr/sbin/snort-plain)

eth0:2: PF_PACKET(/usr/sbin/snort-plain)

eth0:3: PF_PACKET(/usr/sbin/snort-plain)

eth0:4: PF_PACKET(/usr/sbin/snort-plain)

Checking `w55808'... not infected

Checking `wted'... nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... nothing deleted

Where can I find a patch for this cPanel bug? [/code]

FarCry

Mar 13 2004, 10:40 AM

You look clean!

The only patch i know of for cpanel is to remove it... i had a rather bitter experience with cpanel and a server getting hacked 15 months or so ago - just shows that they are not into security!

Xia

Mar 13 2004, 10:56 AM

Well I don't think I really need cPanel anyway, is it possible to use awstats and urchin without cpanel?

How would i go about removing it? Is it ok to keep WHM?

I received whm & cpanel for free as part of a promotion.

You say I look clean but why then does whm report these hidden pids?

bsykes

Mar 13 2004, 11:20 AM

Urchin can be used without cpanel, and I *think* awstats can but if I'm wrong I'm sure somebody will let me know.

WHM/Cpanel is much like Internet Explorer in the fact that once it is installed, it basically cannot be removed without an OS reinstall. That's the quickest, safest way to do it (provided you have all your content backed up).

alduin

Mar 13 2004, 11:31 AM

QUOTE (bsykes)

Urchin can be used without cpanel, and I *think* awstats can but if I'm wrong I'm sure somebody will let me know.

Both work just fine without cpanel. In fact, if you dump cpanel, your karma will get a boost, too. =)

Xia

Mar 13 2004, 11:41 AM

Well, an OS reinstall isn't an option right now, isn't blockinb ports with APF the next best thing?

alduin

Mar 13 2004, 12:59 PM

QUOTE (Xia)

Well, an OS reinstall isn't an option right now, isn't blockinb ports with APF the next best thing?

If you haven't yet been compromised, the bugtraq advisory has information on how to disable the feature that is being exploited.

http://www.securityfocus.com/archive/1/357...09/2004-03-15/0

FarCry

Mar 13 2004, 01:28 PM

Im not sure about the hidden pid's but chkrootkit looks for all that.

Its not really possible to remove cpanel once its on there - as it setups up your server with all the services it needs.

Until a bug fix is found - if your the only person using this server (no clients) - the best thing to do might be to stop cpanel:

service stop cpanel

i dont know if there is a stop for whm too

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.