One of our servers has Malware on it and it hammers the eth0. using /sbin/ifconfig you look at a few thousand reads and 3 G of transmits. Transmits roll up at about 0.3 G every 2 seconds. What keeps this bound is that the AT&T network it is tied to is only good for about 200K up load and 1.5 meg down load.
If you look in /boot you will find two linked files named IptabLes and IptabLex. Once you kill off these processes listed in ps -aux then you can connect to Internet again. Search on Google using 'IptabLes' and 'IptbLex' If you do not use single quotes all the upper case gets replaced with lower case and you do not find anything. In our case data was added to the /etc/host table pointing to a 127.0.0.0xxxxxxx. The xxxxxx are a company in China. We ran a couple of malware detectors and none of them flagged it. When you search for 'IptabLes" you will find a very detailed description of where the file are and what they contain. Removing these files fixes the problem for a few hours. In our case it starts after 12 PM during lunch. EST. and ever so many hours. I have looked at cron and cron.hourly etc and do not find anything suspicious. In my case I am looking for a date stamp of 22 May 2014. This is when this network crashed. We unplug this server from switch and the network is back up and running. This box is a quad core AMD and ps -aux tells us that it is using 33 % of CPU time, a 1G card, the switch is a 1G and slow network of 200 K upload and it just quits. You have to remove all the programs and a few hours later its back. If process is not started by cron then how else would launch a program that can reload the files. Some appear to be assembled, some are python, and some are html (guess). This box has about 2 T Bytes of engr files on it. We removed SL 5.10 and reformatted the disk, reinstalled 5.10 and it worked very well for a a few weeks, it came back. I need to find out where the main program is and blow it away. I would assume that it has multiple copies of itself. ??? but where. Is it contained in a OS file? as some others viruses where the file contains the orrig in the first 4096 bytes and the next block is the virus, and the rest of the file follows at 8096. So if you run something like "cp" the virus spread to all file in /bin. If this were on a fast network - everything you own would be sent to China. Any Ideas ?? I didn't rewrite what is contained in the web page but just directed you to it. I don't think I would use a box in secure environment to examine this, I am just skeptical of everything I see anymore. If anyone is interested I will share the details. Thank You Larry Linder