[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


Ok. It looks like I have been hacked and they have put in a directory in my webspace that is just a space. In there, is 2 directories and 1 file:
-rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com

I can delete everything in the 2 directories, and edit/change the php.php file to empty it out because it was a php script that allowed someone to do anything on the server they wanted, but I can not for the life of me delete them. I thought maybe they replaced the /bin/rm file, but it does not appear to be a hacked "rm".

Also, every minute the following cron job runs and I am not sure how or where it is being run from. chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 && rm -rf /etc/cron.d/core && kill -USR1 30447

There is no /tmp/local directory and in my /etc/cron.d directory, there are 2 files:
-rw-------  1 root httpd 696320 Oct  6 09:45 core.30448
-rw-------  1 root httpd 909312 Oct 11 14:14 core.8811

I do not see anything like that on my other servers.

My firewalls don't allow ssh access from other than my address and only with a public/private key pair.

Any help would be appreciated since this person is going to get me blocked because of them trying to fish for ebay and paypal logins/passwords.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]