Call me paranoid but there are a couple of malware bots on the internet that appear to look like regular processes.
Maybe just rename the perl binary...
Take it offline a.s.a.p.!This is a working government web server.
By wiping the whole system. Seriously. There's no telling what they modified or changed. Even those root-kit scanners you used didn't find anything even though the machine is clearly infected. Take it offline. Wipe it. Start over. Plug the holes before putting it back online.How can I clean the server from viruses?
But you gave the list above: /tmp/scn/...? So there seems to be a leak in some software along the stack, which allowed to write the virus into these files. You have to fix this hole. And seriously consider how to get rid of PHP... it's evil, just like Adobe Flash. My hair rolled backwards when I witnessed the spread of PHP, nowadays that's not possible anymore, but the facts about PHP remain to be true: it's just badly designed software, mixing application logic & UI appearence. Brrr.Thank you very much, but I cannot reinstall the system until I can not find the virus itself. Freebsd and linux does not have good antivirus software to find this virus. I'm desperate and don't know what to do, because I don't know where the virus is. In this respect, I am beginning to like Windows. Kaspersky and Bitdefender are very good antiviruses. How can I reinstall the system if I don't know where the virus is.
I need to find the virus itself, rather than what he did or what files are deleted.
If the virus is in the files of the sites, then this virus will appear again after formatting. What is then the meaning of formatting.... Formatting the harddrive is the only way to get rid of it.