libkeyutils.so.1.3.1 trojan false positive?
Hello,
I have been researching this the last two days and have not gotten very far. I have contacted my hosting provider and they ran a malware scan that came back clean as well as other commands to run and try to determine if I indeed have a trojan on my server.
This is the error I have in the Security Adviser in WHM:
Libkeyutils check: "/lib64/libkeyutils.so.1.3.1" is not owned by any system packages. This indicates a possible server compromise. (NOTE: Corrupted RPM databases can report this as a false positive).
I do have a libkeyutils1.3.1 and libkeyutils1.3 with the symlink going to the 1.3.1
However, every other commands I enter to try and substantiate the flag turns up nothing.
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected" -> this returns System Clean
netstat -nap | grep proc/udevd" --> no results
ipcs -m returns shared memory segments with the largest being 1200712 bytes (documents show a compromised system has over 3MB)
So, not really sure where to go from here. Is WHM reporting a false positive? or is my RPM database corrupt?
Thanks for the help!
-
Check this document it may be of some use to you: Determine Your System's Status - cPanel Knowledge Base - cPanel Documentation 0 -
Thank you for the link. I will run through those commands and see what I can find 0
Please sign in to leave a comment.
Comments
2 comments