I remember I sent weeks ago next email to other guy with same doubts:

Hello, just if it helps, please find below these lines the steps I have used to analyze several suspicious machines in some customers, to check if they have been compromised or not:

* Chrootkit && rkhunter -> To search for known trojans and common linux malware. * unhide (http://www.unhide-forensics.info/) -> to check for hidden processes and tcp sockets * rpm -Va -> To check binary integrity against installed rpms * If netstat binary looks to be sane, check listening sockets * If ps binary looks to be sane, check shown running processes * Check console connections with "last" and "lastb" commands * Tcpdump on network interfaces avoiding traffic for known running services (80, 25, 21, etc... depending on the role of the machine) to check for the weird traffic * grep -i segfault /var/log/* -> to check for buffer overflows in logs * grep -i auth /var/log/* |grep -i failed -> to check authentication failed tries. * lsmod -> to check loaded kernel modules (it is ver difficult to find out something wrong here, but just to be sure nothing weird appears). * lsof -> to check opened current files * Check xinetd -> to find out if someone has added some new "service" * have a look to /tmp, /opt, /usr/bin, /usr/local/bin, /usr/sbin and .bash_history... * check /etc/passwd and verify created users are licit to be there. * check crontab for every user to avoid any process to be programmed

Hope the checklist helps... Regards,

El 19/02/12 03:18, Al escribió:

On Feb 18, 2012, at 9:07 PM, Donkey Hottie wrote:

...

19.2.2012 3:38, Al kirjoitti:

...

Any suggestions on what to run on a centos box to verify that the server isn't compromised or being sniffed? Thanks!

rkhunter comes to my mind.

Thanks for the suggestion, any others? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos