Possible Malware infection

Recently IT took our Columbus server offline reporting a possible malware infection.

After reading several forum posts (listed below) I checked the Iptab to see what was running in /boot.

http://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html
https://access.redhat.com/site/solutions/877353
http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex
http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=VServer%20Trojan

$ ps aux | grep Iptab

Output:

columbus-server:~ # ps aux | grep Iptab
root 9674 0.0 0.0 856 132 ? S Jun30 0:00 /boot/.IptabLex
root 9675 0.0 0.0 1220 176 ? S Jun30 0:00 /boot/.IptabLes
root 22426 0.0 0.0 856 28 ? S 13:00 0:00 /boot/.IptabLex
root 22435 0.0 0.0 1220 48 ? S 13:00 0:00 /boot/.IptabLes
root 22471 0.0 0.0 4524 544 pts/0 S+ 13:00 0:00 grep Iptab
columbus-server:~ #

The interesting entries in /boot were as follows:

/boot/.IptabLes
/boot/.IptabLex

I had to manually delete these entries in /boot to remove the threat. I implemented extra security steps to minimise the risk of it happening again (implemented Linux based AV software and changed root account credentials amongst other things).