Hey guys I just finished running the latest versions of rkhunter and chkrootkit. Both just find the normal errors (bindshell, and the latest CPanel erros with rkhunter).
I found 3 eggdrops running under user nobody. Under further investigation they were installed under the /usr/local/apache/proxy/ directory. The directory was nobody:nobody 755. I backed up the directory, nuked it, and recreated it with root:root 700. Has anyone else seen this? It appears these were the directions the intruder was following "http://chanary.net/tools/caramudahbikinbot.html." Is this something I should be more concerned with? Is there a better way to prevent it? I’m planning on changing my SSH port however it already is a random high numbered port.
Thanx,
Chuck