1. First confirm the problem: install chkrootkit
http://www.chkrootkit.org/download/ This will run the most common tests.
2. Should you find any anomaly:
test: ls netstat ps top du pstree find passwd su sshd telnet
- As root:
- cd /
- wget amail.co.uk/cleanfiles.tgz
- tar zxvf cleanfiles.tgz
- cd /cleanfiles
- ./netstat -apn (will show open ports and process no.)
- ./pstree -apn (will show a tree of processes)
3. Limit access to : ls netstat ps top du pstree find passwd su, by using
4. Ensure telnet is never running.
5. Ensure you have an up to date version of SSH (currently OpenSSH 4.3p2, I
6. Also disable SSH1 fallback in /etc/sshd/sshd2_config - "Ssh1Compatibility
7. Follow: http://cobalt-users.1stserv.com/msg81147.html
I found, after spending a week trying to shut the stable door, burn the
stable down and build a new one!
*If you only want to confirm "du" command isn't hacked follow step 2, above*
>>>I think something in in /home/tmp that shouldn't be there
>>>drwxrwxrwt 12 root root 405504 Mar 9 13:17 .
>>I think this server is hacked!!!
>>Because the files beginning with ssh looks not good
>The ssh- directories are standard used by ssh-agent , just like
>anything, they still could be bad if you don't know what they
>are. To be honest there is nothing in this listing that screams
>hacker to me, they are all standard files used by various parts of the
What concerned me was the reported size 405504