If this blog post helped you in some way, please leave a comment letting me know. Thanks!
If you’ve ever tried WHM/cPanel’s Trojan Scanner, you’ll know this tool list produces way too many false positives to be useful. I’ve had it list several hundred false positives in some instances. The last thing I want to do is spend my day double checking false positives. Instead, I installed a very powerful tool called CHKROOTKIT to get the job done and with minimal false positives.
Please note this applies for CentOS running WHM/cPanel.
To start, go ahead and ssh into your server as root.
Download CHKROOTKIT by typing:
Check the md5um from the vendor site here: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
Now, type this in your ssh session to make sure your md5sum matches the one on the vendor site:
Unpack the download:
tar xvzf chkrootkit.tar.gz
Change to the chkrootkit director:
Now you’re ready to run chkrootkit:
Everything listed should be either “not found” or “not infected.”
You’re going to want to do a quick removal of just the downloade tarbell:
And you’re done! If you do happen to have a trojan or rootkit, start googling!