When I checked my server's load ,it was in between 20-22.So when I checked the logs for possible reason I found too many proftpd requests times out from different ip addresses.
Now I know that,some has scanned my ports,now when I cheked for any possible hacks on server I found some strange results:
I found 4-5 lins saying :
Bogus tcp line etc.. for at least 4-5 times and
a strange line saying ..
bogus Unix line once!!!
then Its shows line saying ..
possible Slapper worm infected ...
Two days back when I checked for the same I have updated the faulty package
namely openssl version .90b etc.
I have applied this patch two days back....
But now today again these line are showing up!!
What should I do to stop this worm from infecting?Is there any method to clean infected files?
The proble is that I checked the /tmp folder it dosen't contain any .C file which si indication of infection.
So how do I know what is infected on serevr?And how do I clean it?
The only warning I got is in chkrootkit output..
P.S. While I know some worms, rootkits, et all are easier to get rid of manually than others, I believe the safest route is to wipe the system, re-install the operating system, re-install all applications which need to be installed from source, and then restore from a backup made prior to the hack.