On Sun, 2005-06-26 at 22:09 -0400, Mailing List Receiver wrote: > Ever since we found and stopped a phishing site that had been planted > on our server to run as the default site under Apache, we have been under > constant attack. Presumably, the perpretrators did not appreciate that > we made their millions of scam emails ineffective. > > So, today I just happen to get a feeling that I should check for rootkits. > Sure enough, someone had a listener at port 3049 and lsof showed the owner > as being Apache. More investigation shows the following in /tmp *snip* I'd be more inclined to guess that there actually is a hole in a web app you are running - you are a hosting service, correct? A lot of hacks are done through insecure hosting software - maybe cpanel or something like that.
