Possible Duplicate:
My server's been hacked EMERGENCY
ZeuS backend controller abusive usage
We have warned by our hosting company about there is a botnet controller (zeus) in our server. But we don't know how it is installed and how to detect and remove it.
We haven't installed any thing in near past and no clue where that controller located.
It is a dedicated server.
How can we detect it ? Antivirus softwares like CLAM AV can help to find it ?
@Glen's answer is a good start but a good botnet installer will use a rootkit that backdoors most system utilities (so they wont show them when doing forensics). A really good one will even go to the trouble of modifying source code or libraries so even binaries compiled now will be blinded. The only real way is to have your hosting provider show you traffic logs that indicate you are compromised and confirm what is connected to that port via lsof or netstat. Which if it doesn't show anything, still doesn't mean you weren't compromised.
lsof and netstat can be useful to hunt down bots and bouncers. 'lsof -i | grep -i irc' has helped me find these in the past but I doubt that would catch everything. If you see something odd with netstat/lsof you can further investigate the pid with 'ls -lah /proc/$pid/'.