psyBNC installed through apache
On one of the servers under my control (RH9 Linux 2.4.27), i saw 100M/s of traffic going through almost instantly.
After a quick investigation, i found PSYBNC running on the box. The conf files were in /tmp/nsmail directory. With TOP, i found processes running psybnc and a couple of "sh -i" processes.
The ps -auxwww showed these suspect processes running as "apache".
I'm running Apache/1.3.31
So..my question is..what kind of hole allowes for this to happen? I was able to remove the filres and stop the processes..but need to find out how the hacker logged in and putt he files in place.
