Got you January 27, 2015
Last month, I had a massive bill from rackspace for my servers. Apparently the server acquired a trojan that was constantly downloading new versions of itself. At rackspace, pricing is $0.12 per GB of transfer. My server, after slowing to a crawl for a few days, sending out data, did about 3 TB worth of data in December, racking up my charge for that month to over $400.
After I found it I reimaged the server that was infected, after moving all of my databases and everything over to my backup next gen server, and it was clear. For a month.
Yesterday, I found the same virus running on both of my servers. This time, dedicated to tracking it down, and also having time to, I found it. More importantly, I found out how to get rid of it, but I haven't found out how exactly it found its way onto my server, or how to protect against it.
It is the Linux / DDOS trojan. It has an embedded rootkit. It is impossible to find by googling "Linux virus" as part of your search, as the only results returned are in relation to how Linux doesn't get viruses...
That article wasn't written at the time of the previous infection, and luckily I came across it this time. Otherwise, I would have had to re-image both servers, causing lots of down time. That was a pain, but at least now I know what was causing it, if that bastard finds his way onto my servers again.