1 after I su, I usded Arrow Up key to use the previous command, and I saw "last | more" which I never used. I checked last | more but so no IP other than from where I log in. Since I have used Su many times, it can not be from the initial setup.
2 My Mem in Top has always been at least 20M regardless if there is hit on httpd or not. But one day suddenly it dropped to 10M. Since then, it always stays at 10M. So I wonder what made the Mem usage at 20M for 5 days then suddenly dropped back to 10M? Was it some process running in common name.
I have 2 requests:
1 How to check if the box is hacked?
2 How to check the FULL path of the program running in TOP, since it only give me the brife name of the program, such as httpd, sshd, cron. I am worried the hacker may name their programs as httpd too
It's advisable to have your system admin to do a security audit ASAP.
AssistanZ - Beyond Boundaries... Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
Install both of them and run them on a cron daily to email you the results.
If you are rooted then wipe the box and start fresh, it is the only way to be sure the hacker is out of your system.
Best of luck to you,
Mega Hosters Inc. - The Last Host You Will Ever Need!
Hsphere Control Panel, 24/7 Phone Support, EasyApp, Shared SSL, Daily Backups, Dedicated IPs, PHP4 & PHP5, FFMPEG, Legal Adult Content Allowed + More! Treating A Customer The Way They Should Be Treated For Over 5.5 Years Now!