You'll want chkrootkit

http://freshmeat.net/projects/chkrootkit/

and you might also want to monitor TCP/IP on that box with ethereal on
another box via a hub

http://www.ethereal.com/

But some password finding atttempts are constant, especially against SSH
and SMTP

-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
Behalf Of Art Bahrs
Sent: Monday, August 28, 2006 9:11 PM
To: [log in to unmask]
Subject: Re: ot - linux virus under apache - help needed


Hi John :)
    First a public reply... remember email is not secure (tho I will
sign
this one)

   Has the customer looked into the packets themselves?  This is neede
to
confirm that the source IP is really correct and not spoofed... also,
have
you checked your log files?  ie do you see the pass word hack attempts
coming from within your DMZ? (you do have all your external facing boxes
in
true DMZ's right? :) )

   Also, have you verified that nothing has been "morphed" on your
Apache
box?  Tripwire (yes, a plug... they are a Portland Company with an
awesome
product!) will help with this kind of thing, but only if baselined
before
something has been morphed...or changed into another program....
rmemeber
Sol.exe isn't always Solitaire... if it has been replaced by something
else... like John the Ripper (really neat password hack program)

 ---

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *