There are a number of warning signs that a system has been compromised. The cases below warrant further investigation. Of course, they aren’t all guarantees that your system has been compromised, however they can be strong indicators.
1. Your welcome banner shows the last log in from an unknown/foreign IP address:
Last login: Tue Dec 2 16:08:41 2014 from 184.108.40.206 root@mt:~#
2. The load on a usually idle system is suspiciously high:
root@mt:~# w 17:06:39 up 62 days, 22:37, 1 user, load average: 8.12, 8.14, 8.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 pwn 17:03 7.00s 0.00s 0.00s w
This could indicate that unknown processes are running.
Read the rest of this entry »