It happens once a day that a process named ./stealth (running as my apache user www-data), which is unknown to me and I cannot find on my Lucid 10.04 system via locate, consumes over 90% cpu. What could this be? Network bandwidth peaks to 15mbit/sec, is this a dos attack?

Any help on how to investigate this would be much appreciated!

Best,
Tim

On IRC:

EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz.
@heckman>: It compromises ALL THE THINGS

Running this command may help you track it down:

    ps auxf

However, you should consider this Linode compromised and that it's no longer safe to store any data or use it for anything. Your best option is to back up your data and redeploy.

One way to do this would be to shrink your disk images and deploy a new distro alongside. You can then copy the files over and delete the old disk image.

I would also recommend trying to determine how the compromise happened in the process of moving data to prevent it from happening again.

-Tim

Edit: Make sure you only copy files over that you know where not the root of the problem. Here's more conversation from IRC: