Thanks Peter,
I did some previous checks with chkrootkit and rootkit hunter but only had a few warnings.
I now installed ossec-rootcheck and it gave this:
[INFO]: Starting rootcheck scan.
[OK]: No presence of public rootkits detected. Analyzed 270 files.
[OK]: No binaries with any trojan detected. Analyzed 79 files.
[INFO]: System Audit: Web exploits (uncommon file name inside htdocs) - Possible compromise. File: /var/www/vhosts/chroot/bin/id. Reference:
http://www.ossec.net/wiki/index.php/WebAttacks_links .
[INFO]: System Audit: Web exploits (uncommon file name inside htdocs) - Possible compromise. File: /var/www/.ssh. Reference:
http://www.ossec.net/wiki/index.php/WebAttacks_links .
[OK]: No problem detected on the /dev directory. Analyzed 227 files
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/send_password_subject.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/send_password_html.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/domain_will_expire_html.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/domain_will_expire_txt.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/domain_expire_txt.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/domain_expire_html.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/domain_expire_subject.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/emailtemplates/send_password_txt.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/licdata.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/admin/htdocs/powertoys/key.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/tmp/vhosts.tar.gz' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/tmp/default_skeleton.tgz' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/tmp/ftp.pamd' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/tmp/psa.key' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/tmp/run-root.tar' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/mirrors.dat' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/sys/module/sbs/parameters/capacity_mode' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/sys/module/sbs/parameters/update_mode' is:
- owned by root,
- has written permissions to anyone.
[ERR]: Check the following files for more information:
rootcheck-rw-rw-rw-.txt (list of world writable files)
rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)
rootcheck-suid-files.txt (list of suid files)
[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analyzed 32768 processes.
[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analyzed 131072 ports.
[OK]: The following ports are open:
21 (tcp),22 (tcp),25 (tcp),53 (tcp),53 (udp),
80 (tcp),106 (tcp),110 (tcp),111 (tcp),111 (udp),
143 (tcp),443 (tcp),465 (tcp),953 (tcp),
993 (tcp),995 (tcp),1701 (tcp),3000 (tcp),
3306 (tcp),5353 (udp),5432 (tcp),8443 (tcp),
8880 (tcp),32859 (udp),32860 (udp),33301 (udp),
33483 (udp)
[OK]: No problem detected on ifconfig/ifs. Analyzed 5 interfaces.
- Scan completed in 145 seconds.
[INFO]: Ending rootcheck scan.