You’ve been hacked.
How to clean a Hacked CentOS / LINUX Machine
yum install chkrootkit
Run chkrootkit to find INFECTED files
You will need to delete, manually, each of these files.
The permissions will be modified to stump the average user.
You will need to use: chattr
This command will free most files: chattr -suSadAc
For the ones that can not be deleted after the above, try: chattr -i
Files commonly targeted: top ps find netstat ifconfig
Once the files are deleted, reinstall the files using YUM:
yum reinstall procps openssh-server openssl psmisc findutils fileutils util-linux net-tools textutils sysklogd
1. sshd will be renamed to sshd0 in /usr/sbin/
2. the hacker has most likely added an entry to the bottom of: /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
Remove it: chattr -suSadAc xntps ; rm -f xntps
3. Re-run chkrootkit until the machine is clean