Alejandro Imass <ait <at> p2ee.org> writes:
> And there was a log of a couple of ftp connections the same day this
> happened, the ONLY 3 messages before the reboot at about 6 pm and they
> were NOT from any of our customers. Here are the log entries:
> Apr 27 05:54:37 nune ftp.proxy: connected to client:
> host-46-50-183-5.bbcustomer.zsttk.net, interface= 18.104.22.168:21
> Apr 27 05:54:37 nune ftp.proxy: info: monitor mode: off, ccp: <unset>
> Apr 27 05:54:38 nune ftp.proxy: -ERR: missing hostname
> Apr 27 18:55:42 nune syslogd: kernel boot file is /boot/kernel/kernel
What you should do right now is to get some recent general or security cd/dvd
with chkrootkit and rkhunter and run them from that external read-only media.
I would also suggest that you look over config files of all packages involved.