I am running a server inside of my LAN which is protected by a firewall (my dsl router). Ports for dns,ftp ssh,http and https are forwarded to my debian machine.
Yesterday I found a script distwatch in cron.daily which was a script to put the rootkit back if an admin has removed it (or so the text at the beginning of the script tells me). I also saw the word “suckit” in this script which is a rootkit I think. I was wrong when I said chkrootkit found nothing, it found 2 processes hidden for ps, keventd and kflushd (I’m not sure because I shutdown my server to figure out how to deal with this problem).
In total there were two daemons which had no man pages
Killd (with googling I saw something abount denial of service attacks, but I’m not sure)
Distwatchd (which I could find nothing about googling)
My question now is how to disinfect my system, how do I locate keventd and kflushd and how do I know for sure my system is clean ?
Thanks for responding everyone J