...
- Unexplained reboots.
- rkhunter reporting the libncom rootkit.
- we've leanrt that /lib/libproc-3.2.8.so has been replaced on some machines (seen on ubuntu so far, unclear whether other distributions are affected)
- Presence of files in
/tmplikedo,update,rc_local_found. - Presence of files in /usr/bin like
minerd, or starting with_-(underscore-dash - these should apparently be hidden by the rootkit). - Presence of
/lib/libncom.*or/lib64/libncom.*and/etc/ld.so.preloadpointing to this library (beware of the rootkit, see above). - CPU usage that can't be accounted for. The miner process might only be visible when evading the rootkit (see above).
- CPU usage by processes like metasploit, nmap, minerd.
- Presence of
/usr/local/bin/ssh. - Some tools may have been upgraded or installed (gnu auto*, Python, JRE), metasploit, nmap.
...