Well, apparently, some “script-kiddies” succeeded implanting a rootkit on my webserver, which is awesome 🙂 I noticed it, accidentally performing a regular cleaning of my website for some unrequired files… Anyway, found few tar files inside /. With netstat -atunp I saw a strange connection performed automatically to few IRC servers with port 6667 and 7000, after I run few tcpdump and tcpflow sessions, I saw that it is a bot running on my server, cool! A Linux bot! Nice to meet you Linux bot! It took me an hour to find it and remove it, the most interesting shit, the bot used a backdoor located on Linux PAM patches or updates then it replaced bash env + lsof command so lsof command output displayed an illusion… That’s why it took me so long to locate and disable this shit. I started to look some further, found a user named user inside my passwd file, the shadow file had two root entries and exactly the same entry for user user… Apparantly, as I changed the root password it was automatically applied to user too 🙂 Very nice piece of software guys! Anyway, you should try harder.