How to detect malicious script in my CentOS server?

Question

I am warned from my VPS provider that my server sends a lot of SSH SYN Attack to other servers, but I have no idea how to deal with it.

Here's the detail my provider sent me:

enter image description here

Where can I find the logs that record all of these attack in my server?
How do I deal with this (find the script that send these request) step by step ?

The answer to (1) is "You can't". A decent attacker would have covered their tracks. The answer to (2) is contained in the question I've marked this as a duplicate of: "Figure out how they got in, then start over on a clean server and make sure to close that hole" — voretaq7, Oct 18 '13 at 15:34

WoooHaaaa · Answer 1 · 2013-10-21T04:18:21.980

0

Finally I find the script.

ps -ef I found 10 processes named ./u2000 &, I thought it was wired.
ls -l /prod/PID/exe I find it links to Tomcat/bin/u2000.
I never know such a thing in Tomcat, so I just remove it and stop all its processes.
Disable tomcat's web console and users.
Change tomcat dir to a standalone user which has limited permission.

edited Oct 21 '13 at 04:18

answered Oct 18 '13 at 10:33

WoooHaaaa

1

You might want to do full audit on your system, because you just stop the offending application, but you still don't know how it get into your system in the first place. – Sharuzzaman Ahmat Raslan Oct 18 '13 at 10:41
Yeah, you basically should assume your system is compromised no matter what, at this point. – Michael Martinez Oct 19 '13 at 00:55

1 Answers1