This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server
. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h
command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.