Hey Sean, If they are uploading things, its likely they have a PHP Shell somewhere. The most common is called the "C99 Shell". You could try doing a grep to find it. I agree with Alan, it would be best to restore a backup. It also looks like they are trying to start a SOCKS server, from the "./mocks" command. This may be used to use your server as a proxy.
http://sourceforge.net/projects/mocks/ You should disable the shell for "apache" by changing the login shell to "/bin/false" in the file "/etc/passwd" Regards, James. On 12/28/07, Kirrus <[EMAIL PROTECTED]> wrote: > > > ----- "Alan Pope" <[EMAIL PROTECTED]> wrote: > > On Thu, Dec 27, 2007 at 07:34:23AM +0000, Sean Miller wrote: > > > I am aware this isn't Ubuntu related, but I'm tearing my hair out. > > > > > > For the past week or so some folks have been constantly hacking my > > > webserver... it's running Cent-OS I believe, but I don't have the > > knowledge > > > to work out how they're getting in. > > > > > > > First thing I'd do is shut it down and restore from backup. You have > > discovered that no matter how much you clean up there's no way you can > > be > > sure they cant get in again. > > > > Make sure you have up to date secure versions of all installed web > > apps. If > > processes are owned by apache then chances are its a compromised > > script > > running on the site that they are getting in through. > > > > The worst app for security I've ever come across is phpBB Nuke, or > postnuke. If someone is running one of those, make sure its up-to-date. > I've never had a problem with phpBB2 (except for spammers ;)) > > -- > Blog: http://www.kirrus.co.uk > UK Plone Hosting: http://www.plone-hosting.co.uk > > RPGs: > Captain Senaris Vlenn, CO, USS Sarek > Lt Aieron Peters, XO DS5 > > > -- > ubuntu-uk@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk > https://wiki.kubuntu.org/UKTeam/ >
-- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
