Just got the VPS 35 trojans?

[Redemption]

I ran the Trojan scanner on cpanel and got the following;

Scan for Trojan Horses

Appears Clean


/dev/stderr


Scanning for Trojan Horses.....
.
.

Possible Trojan - /usr/bin/xmlcatalog
.

Possible Trojan - /usr/bin/xmllint
.
.

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.la
.

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.so
.

Possible Trojan - /etc/cron.daily/logrotate
.
.

Possible Trojan - /usr/bin/xml2-config
.
.
Possible Trojan - /usr/bin/curl-config
.
.

Possible Trojan - /usr/bin/xslt-config
.
.
.
.

Possible Trojan - /usr/bin/mysqlhotcopy
.

Possible Trojan - /usr/lib/cups/filter/pstopxl
.
.
.

Possible Trojan - /usr/bin/animate
.

Possible Trojan - /usr/bin/compare
.

Possible Trojan - /usr/bin/composite
.

Possible Trojan - /usr/bin/conjure
.

Possible Trojan - /usr/bin/convert
.

Possible Trojan - /usr/bin/display
.

Possible Trojan - /usr/bin/identify
.

Possible Trojan - /usr/bin/import
.

Possible Trojan - /usr/bin/mogrify
.

Possible Trojan - /usr/bin/montage
.
.
.
.

Possible Trojan - /usr/sbin/pureauth
.
.


Possible Trojan - /usr/bin/wget
.
.


Possible Trojan - /usr/bin/cpan
.
.
.
.
.
.

Possible Trojan - /usr/bin/instmodsh
.

.

Possible Trojan - /usr/bin/prove
.
.

Possible Trojan - /usr/bin/pstruct
.


Possible Trojan - /usr/bin/curl
.

Possible Trojan - /usr/lib/libcurl.so.3.0.0
.
.

.

Possible Trojan - /usr/bin/xsltproc
.

Possible Trojan - /usr/lib/libexslt.so.0.8.13
.
.
.

Possible Trojan - /usr/bin/cvs
.

Possible Trojan - /usr/bin/cvsbug
.

Possible Trojan - /usr/bin/rcs2log
.
.
.

Possible Trojan - /usr/share/cvs/contrib/rcs2log
.
.

Possible Trojan - /usr/share/cvs/contrib/sccs2rcs
.
.
.
.
35 POSSIBLE Trojans Detected

Am I out of luck here?

[Spathiphyllum]

A lot of those look like false positives. You may need to check out the documentation for the Trojan scanner to see which of those are false alarms and which ones might not be. Without having a checksum of the original content to the "versions" you have now, there's a chance, however slim, that you have a Trojan. I doubt it, though.

Once you've reviewed the "trojans" and determined them to be safe, check out the checksum package/application Tripwire. It's one of those file change detectors that will address any future concerns on suspect trojans giving you a heads up on what was changed and when. It'll be necessary for you still, however, to decide if any change was induced by your actions or something else's.

[Vin DSL]

I ran the Trojan scanner on cpanel...

cPanel or WHM?!?!?

[Daniel_DBS]

cPanel or WHM?!?!?

i'm sure he means WHM... thats the only place i can run any sort of trojan scanner from

[Vin DSL]

I see...

Well, that's a known issue with WHM - 'falsies'.

I'm sure this has been discussed many times in these threads, but...

I *guess* 'POSSIBLE' is the key word here!

[Daniel_DBS]

ya i'm going to say this is one of those WHM false statements...

it is considering CURL and WGET as trojans... i doubt anyone is going to send in a trojan through CURL... but if WGET was one then that would be useful to a trojan but i doubt it is...

[thisisit3]

I don't know why WHM reports all the above as trojans, i suggest you open a support ticket and ask support to take a look. You may also install another trojan detector like rkhunter or do a manual scan with ClamAV which is already installed on your system.

dbstephens, CURL and WGET are very frequently used in web attacks, they allow an attacking script to download extra trojans and other data (like an updated version of it self). Of course they shouldn't be marked as trojans, they are just tools, but access to them should be limited to root only (unless you allow ssh access to the system, then a real admin will use them for legit reasons).

[Daniel_DBS]

dbstephens, CURL and WGET are very frequently used in web attacks, they allow an attacking script to download extra trojans and other data (like an updated version of it self). Of course they shouldn't be marked as trojans, they are just tools, but access to them should be limited to root only (unless you allow ssh access to the system, then a real admin will use them for legit reasons).

ahh ok... ya i knew that about WGET because it allows you the option to download files direct to the machine itself but i did not know that about CURL... thanks for clarifying that

[thisisit3]

curl is a wget on drugs, supercharged, turbocharged, enhanced and given lots of steroids.

its script kiddies heaven on a single command

thats because curl not only downloads files, but can actually connect to lots of protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP etc) and do lots of weird things (proxy, user authentication, ftp upload, HTTP post, SSL connections, cookies, file transfer resume, etc).

most remote exploits use it for its ability to do HTTP post with cookies and most trojans use it for its ability to "call home" via the multitude of different protocols.

[Gwaihir]

Best look (search) around forum and knowledge base on this one. Masood (the chief tech here) explained this a while back.

There are many false positives on a VPS on that one, as WHM checks vs. the signatures this stuff would have on a normal server, instead of the signatures of the VPS-adapted versions it's looking at.