Quote:
Originally Posted by Fris
use chkrootkit to find which files have been modified
|
Run it daily - because part of the trick is how they get access - the initial breakin occurs via FTP, usually obtained by a compromised webmaster PC. So the webmaster gets their server cleaned up, and the next day, they walk right back in (because even when you change the FTP or telnet passwords, they pick them right up again on your next access).
You need to check and clean not only the server, but any and all PCs that may have FTP or telnet access to the server, including all systems used by your hosting company that might have access.
Good fucking luck.