I'm in a really strange situation. A few hours ago Rackspace issued a ticket saying there's a outbound flood originating from my server.
Thinking the server might have been rooted with a rootkit I ran chkrootkit scans and nothing showed up.
So I decided to change ssh password and this is what happened.
$ passwd <<username>>
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
When I did the exact same thing on another Ubuntu 11.10, this happened.
$ passwd <<username>>
Changing password for username.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Hence, on one server ( suspected to have been attacked ) passwd command doesnt ask for "previous" password before changing the password. On the other server it does.
I checked nginx access logs and found http calls originating form "localhost". I think there might be a suspicious script running on the server.
It could be possible that the system is compromised?
Lastly, I'd like to ask if someone knows of a good rootkit scan I could run on the server. I'm not asking for a silver bullet but something you guys usually use. I'm fairly new to server security.
Thanks guys!
