On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote: > While a long way from perfect, tools such as "chkrootkit" and "rkhunter" > might shed some light on your situation. > As Giancarlo said, check every machine that's closely interconnected, not > just the one compromised server you've noticed. > I haven't used them under OpenBSD, so not sure how effective they'll be > (both projects claim to support OpenBSD), but they're probably more > appropriate than clamscan(1) which looks for mostly MS Windows-based > viruses, not rootkits.
Thank you for the suggestion. I just ran both chkrootkit and rkhunter. chkrootkit didn't find any matches. rkhunter had a couple warnings but to my eye they checkout out, i.e. warning that pkg_info is a perl script. That said, I'm going to make chkrootkit and rkhunter a regular part of my maintenance regime, perhaps add them as daily cron jobs.
