[ Thanks to Amy Newman for this link.
]
“Kroah-Hartman also recommends inspecting systems using a live
CD and scanning through logs looking for ‘mysterious’ messages like
programs trying to touch /dev/mem.“Willy Tarreau also contributed several suggestions, like
checking to see that connections between local machines are
expected. Tarreau advises users to grep /var/log/messages
specifically for “sshd” and to look for the string ‘Invalid user’
coming from internal machines.“Tarreau notes that outgoing SMTP requests are also suspect. “If
one machine suddenly tries to send mails directly to outside, it
might be someone trying to steal some data” such as SSH keys, said
Tarreau.”