Franco -
You can try to find it in /proc. You can also use sockstat to check for unusual socket connections.
Once I locate the actual binary, I run 'strings' against it and look for anything unusual. Look for dirs named '...' and '....' in /var/tmp and /tmp, as this is more than often a "starting point".
Please respond and share your findings with the group.
Thanks! -dant
Franco wrote:
Hi, i have an old redhat 9.0 update to the last release of RH, in some cases in the TOP i see httpd show as exe. I have read the it can be a virus or trojan but how i can do to now this and if so how can i delete it. I start chkrootkit and rkhunter on the server and seams that chkrootkit sometime tell me that i have hidden processes but not even, and rkhunter tell that is all ok. Any suggest?
