It's hard to say with certainty how the servers with the SSH backdoor had been compromised in the first place, because in most cases the server logs were gone by the time Sucuri had the chance to analyze them, Cid said. However, the infection was often found on servers that had weak root passwords or were running outdated versions of Plesk -- a Web-hosting control panel.
On servers that use the RPM Package Manager administrators should run the "rpm -Va" command in order to check the integrity of their software packages, Cid said. "If you see any change to the SSH binaries, it is a red flag," he said.
Simply checking when the files were last modified using the "ls -la" command won't reveal anything suspicious because the attackers change the mtime (last modification time) timestamps of the backdoor files to match those of the original files, Cid said.
If this SSH backdoor is found on a server, it's better to completely reinstall it from scratch because you never know what else might be there, the researcher said.