Terry I have had this before, you could have a corrupt ps binary so therefore not able to see the process when doing a ps -aux command, try and get a new ps binary on that machine then run one and then you're corrupt one, if you then compare the outputs you will see the hidden process. Other processes to check for corruption would be du, ls, df, lsof and find.
You should be able to clean the machine if it is critical for a network, but if you are in a position where formatting and starting again is not a problem then do that. However you should take steps to work out how you were compromised and then take steps to secure for the future. Are you running portsentry or other programs to prevent attack. Have you got old insecure versions of openssh running etc. When I saw this on my machine I later found out that I had bobkit installed, luckily I had a local machine here that once not on the network and so could just pull off the clean binaries. http://www.stearns.org/detectlib/bobkit.html for a description of the kit itself. Good news is that I have recently received an email saying that the hacking crew that did this to me as been caught! Regards Tim Howes
