> On Sun, 2005-06-26 at 22:09 -0400, Mailing List Receiver wrote: >> Ever since we found and stopped a phishing site that had been planted >> on our server to run as the default site under Apache, we have been under >> constant attack. Presumably, the perpretrators did not appreciate that >> we made their millions of scam emails ineffective. >> >> So, today I just happen to get a feeling that I should check for rootkits. >> Sure enough, someone had a listener at port 3049 and lsof showed the owner >> as being Apache. More investigation shows the following in /tmp > > *snip* > > I'd be more inclined to guess that there actually is a hole in a web app > you are running - you are a hosting service, correct? > > A lot of hacks are done through insecure hosting software - maybe cpanel > or something like that. We had a spammer hack in through apache on a redhat box a month ago. He got in through a clients installed/used phpBB board (of course). The spammer installed shv5 and proceeded to send out millions of emails, of which our courier server promptly rejected doing so, so no harm was REALLY done. Took a while to get rid of the files, as we had to backtrack through the install process of shv5. We canned all our clients use of phpBB and the machine has been clean since. Just our experiences, maybe of some help to you. -Randall Shaw