I ran chkrootkit and the only things that showed up was a lot of php stuff from ispconfig, and this:
"Searching for anomalies in shell history files... Warning: `' is linked to another file"
and this:
"Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 2286 tty7 /usr/bin/Xorg -br -nolisten tcp :0 vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-gLBli6"
I looked at my history for root and didn't see anything strange.
I also looked at a lot of logs and didn't see anything other than what I saw in the logs that dissapeared.
I looked at my user list and didn't see anything strange.
Do you have any suggestions as to where I might look to find something or someone that shouldn't be there?
Quote:
If I were already in your box, I might be tempted to remove log files which show when and how I broke in. Not to cause a panic, but do look around a bit ...