SSH access logs user and unecrypted password to a file: find owner process [closed]

view full story

http://serverfault.com – Possible Duplicate: My server's been hacked EMERGENCY Find out which process is changing a file We have a server with CentOS 5. After an attack the server got infected by something which injects code in every HTML, PHP and JS file. The origin of the attack is unknown, as it is the name of the virus. Looking at the file system, I found an interesting file in the path which is not present in other CentOS5 installations: /usr/include/linux/byteorder/ssh.h It is registering all user and uncrypted password of all accesses using SSH. I guess it is being used by the virus to steal (HowTos)