i've been infected!
. i checked with rkhunter & chkrootkit but they didn't give me a meaningful result. A cron (from root) has run every minute and create /tmp/sh file like this:
# less /var/log/cron
Jul 13 16:36:01 servername crond[30119]: (root) CMD ( cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core)
i'm using cpanel/whm and there is not any abnormal line in root's crontab file.
i checked all cpanel script except "dcpumon" because it's a binary file.
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
But there is no any line in root's crontab file for run a script per minute. however this cron has been run at every minute
What's this and how can i disinfect it?
Thanks
