I did a ps aux and I saw these 3 process and I have no ideo what they are. I haven't seen these before and I was wondering if these are something typical or if I should look into them further. If they aren't something thats usually associated with apache how do I get about getting more info on them. Any suggestions would be appreciated.

apache 16781 0.0 0.0 1572 492 ? S 19:30 0:00 ./jam5
apache 17516 0.0 0.0 1572 492 ? S 20:10 0:00 ./jam5
apache 17665 0.0 0.0 8704 36 ? S 20:18 0:00 ./w00t

Looks like you've been cracked.

Probably something derived from this:
http://www.glug-howrah.org/modules.p...ew&t=6&start=0

Get the machine off-line ASAP.

Dave

Yeap I've been rooted. I dont think the hacker managed to get root access because all the processes were running as apache. Also my sshd and ftp appear to be wonky now. They allow everyone to log in even though I only have a few users.

I checked my log files and it looks like someone has been picking away at it for some time. the sshd log files are full of failed attempts. I ran chrootkit and rkhunter and they didn't come up with much at all.

I have the server offline and I was hoping to salvage it if possible. Anyone know of any good howtos on doing an extensive cleanup? I'm probably going to end up doing a re-install but I kinda wanted to learn howto undo this and how the rootkit works.

I managed to find the rootkit in /var/tmp. The person actually named it rootkit.

If your attacker managed to alter your FTP and SSH configs, then I'd say it's a fair bet that she does have root on your machine. That being the case any cleanup short of a clean install is asking for trouble. Have a look at root's .bash_history and any other shell histories you can think of. Have a look at /var/log/messages - I don't know about Debian, but RH logs any 'su' events there, through PAM.

As for how the exploit works, I'd open a new thread to see if anyone can answer that. I know the theory behind general cracking methods, but I'm not familiar with any implementations.

Dave