Is the box hacked?
1 after I su, I usded Arrow Up key to use the previous command, and I saw "last | more" which I never used. I checked last | more but so no IP other than from where I log in. Since I have used Su many times, it can not be from the initial setup.
2 My Mem in Top has always been at least 20M regardless if there is hit on httpd or not. But one day suddenly it dropped to 10M. Since then, it always stays at 10M. So I wonder what made the Mem usage at 20M for 5 days then suddenly dropped back to 10M? Was it some process running in common name.
I have 2 requests:
1 How to check if the box is hacked?
2 How to check the FULL path of the program running in TOP, since it only give me the brife name of the program, such as httpd, sshd, cron. I am worried the hacker may name their programs as httpd too
