Ok. It looks like I have been hacked and they have put in a
directory in my webspace that is just a space. In there, is 2
directories and 1 file:
-rwxr-xr-x 1 root root 0 Oct 12 00:01 php.php
drwxr-xr-x 2 48 48 4096 Oct 11 23:54 signin.ebay.com
drwxrwxrwx 2 root root 4096 Oct 11 23:54 www.paypal.com
I can delete everything in the 2 directories, and edit/change the
php.php file to empty it out because it was a php script that allowed
someone to do anything on the server they wanted, but I can not for
the life of me delete them. I thought maybe they replaced the
/bin/rm file, but it does not appear to be a hacked "rm".
Also, every minute the following cron job runs and I am not sure how
or where it is being run from.
chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 &&
rm -rf /etc/cron.d/core && kill -USR1 30447
There is no /tmp/local directory and in my /etc/cron.d directory,
there are 2 files:
-rw------- 1 root httpd 696320 Oct 6 09:45 core.30448
-rw------- 1 root httpd 909312 Oct 11 14:14 core.8811
I do not see anything like that on my other servers.
My firewalls don't allow ssh access from other than my address and
only with a public/private key pair.
Any help would be appreciated since this person is going to get me
blocked because of them trying to fish for ebay and paypal logins/passwords.
Thanks
Steve
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
