malicious files within /tmp/tmp

I found a tmp folder within my main /tmp folder and it had malicious files called irc and telnet in it.



I deleted those files and changed the permissions of the tmp folder within the main /tmp folder to 600.



The server had a continuos high load of around 4-5. I ran chkroot found nothing.

My tmp has already been secured

cat /etc/fstab |grep tmp

none /dev/shm tmpfs defaults,nosuid,noexec 0 0

LABEL=/tmp /tmp ext3 defaults,noexec,nosuid 1 2


1. I need help to trace how these files got in to my /tmp. Which log files will show their activity and how they managed to create a tmp folder within my /tmp.


2. Was my server used as a relay during this time...

Thanks for your help...

 

 

 

 

Top