<div>Hey Sean,</div><div><br class="webkit-block-placeholder"></div>If they are uploading things, its likely they have a PHP Shell somewhere. The most common is called the "C99 Shell". You could try doing a grep to find it. I agree with Alan, it would be best to restore a backup. <div><br class="webkit-block-placeholder"></div><div>It also looks like they are trying to start a SOCKS server, from the "./mocks" command. This may be used to use your server as a proxy.</div><div><br class="webkit-block-placeholder"> </div><div><a href="http://sourceforge.net/projects/mocks/">http://sourceforge.net/projects/mocks/</a></div><div><br class="webkit-block-placeholder"></div><div>You should disable the shell for "apache" by changing the login shell to "/bin/false" in the file "/etc/passwd" </div><div><br> </div><div><br class="webkit-block-placeholder"></div><div><div><div>Regards,</div><div>James.</div><div><br class="webkit-block-placeholder"></div><div><div><span class="gmail_quote">On 12/28/07, <b class="gmail_sendername"> Kirrus</b> <<a href="mailto:kirrus@kirrus.co.uk">kirrus@kirrus.co.uk</a>> wrote:</span><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>----- "Alan Pope" < <a href="mailto:alan@popey.com">alan@popey.com</a>> wrote:<br>> On Thu, Dec 27, 2007 at 07:34:23AM +0000, Sean Miller wrote:<br>> > I am aware this isn't Ubuntu related, but I'm tearing my hair out.<br> > ><br>> > For the past week or so some folks have been constantly hacking my<br>> > webserver... it's running Cent-OS I believe, but I don't have the<br>> knowledge<br>> > to work out how they're getting in. <br>> ><br>><br>> First thing I'd do is shut it down and restore from backup. You have<br>> discovered that no matter how much you clean up there's no way you can<br>> be<br>> sure they cant get in again. <br>><br>> Make sure you have up to date secure versions of all installed web<br>> apps. If<br>> processes are owned by apache then chances are its a compromised<br>> script<br>> running on the site that they are getting in through. <br>><br><br>The worst app for security I've ever come across is phpBB Nuke, or postnuke. If someone is running one of those, make sure its up-to-date.<br>I've never had a problem with phpBB2 (except for spammers ;)) <br><br>--<br>Blog: <a href="http://www.kirrus.co.uk">http://www.kirrus.co.uk</a><br>UK Plone Hosting: <a href="http://www.plone-hosting.co.uk">http://www.plone-hosting.co.uk</a><br><br>RPGs:<br>Captain Senaris Vlenn, CO, USS Sarek <br>Lt Aieron Peters, XO DS5<br><br><br>--<br><a href="mailto:ubuntu-uk@lists.ubuntu.com">ubuntu-uk@lists.ubuntu.com</a><br><a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk">https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk </a><br><a href="https://wiki.kubuntu.org/UKTeam/">https://wiki.kubuntu.org/UKTeam/</a><br></blockquote></div><br></div></div></div>