Today I found a process called .X0-unix running in my server (CentOS 6 running Webmin/Virtualmin). This process was running from:
[root@server ~]# find / -name .X0-unix
I cannot find anything in the webmin logs to explain how that file got there and there have not been any ssh/ftp transfers into my server. How the hell did they get that file into the Webmin service? As far as I can tell it is an irc bot called tsunami so no major damage done at the moment but I am very worried that webmin is compromised. The logs do not show any logins for any users (except when I logged in to check of course). A new flaw/backdoor into webmin?
How can I try to find out where the exploit is? I cannot shut down virtualmin completely as my users depend on it to administer their domains.