One of my development Linux boxes got hacked and kept sending emails and doing web crawling. What I needed to know was to identify the culprit, and which script/application did this. I tried to run our malware detection with maldet that is described here:

It seems that maldet could not identify the culprit as malware, so the problem still happened. I suspected something might have been added to /bin or /etc/cron.* folder so I checked any modification for the last 3 days on these 2 folders by running these command
find /bin/ -mtime -3
find /etc/ -mtime -3

There’s a new file named /bin/perfcc; created and a new entry under /etc/cron.daily. Deleted both of them and now I need to get a notification whenever there’s a change in these 2 folders. So I installed inotify as described in this tutorial

I want to be able to get an email notification whenever there’s any change on both directories.

So the next step would be to configure the Linux box to enable sending email notifications via SMTP relay. A quick tutorial to do that is here

After that, create a shell script notify_dir_change.sh to run inotifywait to watch those directories
#!/bin/sh
inotifywait -m -r /bin -e create,modify -e moved_to | while read path action file; do echo "The file '$file' appeared in directory '$path' via '$action'" | mail -s "Directory modification" -a "From: your_email@your_domain.com" [email protected];done

To start this script automatically during a server restart, add this line to your /etc/rc.local
/root/scripts/notify_dir_change.sh &