I just "ps aux"-ing using my user and found that another user(userX) is spawning many "./scanssh". "tail -f"-ing /var/log/auth.log shows many attempt on bruteforcing root account on this server. I know that userX doesn't start that "./scanssh" process, so i think one of that bruteforcer is already in the server.
now, what i want to ask is: 1. how do i know that the attacker haven't already have the root(privilege escalation)? 2. how do i know that no binary is compromised?
sorry4myengrish...
[link][26 comments]