It won't be helpful even if you deleted these files:
/tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
You may first delete a few (binary) files introduced to your system by the intruder:
(A) /etc/rcX.d/S99local
X = 2,3,4,5
This script will call up /etc/rc.d/rc.local to launch several attacks on your system.
(B) So, it is better to immediately delete this file as well.
You see the content of this file will launch several binaries to attack your system:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
It is strongly recommended to delete this file /etc/rc.d/rc.local by force.
(C) After deleting those files above, you can start to sudo to terminate processes:
(i) /etc/ssh/sshpa
which causes the creation of /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(ii)
and to terminate processes :
/tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(D) Please delete these files immediately :
/etc/ssh/sshpa, /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
and use htop to make sure they are not launched in the background anymore.
(E) Updating your system, please don't forget to change root's password, and all users' passwords.
Unfortunately, chkrootkit and rkhunter may not be able to detect this intruder. Perhaps, I don't know how to fully utilize these two rootkit checkers. Or perhaps both rootkit checkers should be updated. Or perhaps there is other reason...