Well, I know this is a bit of an old thread, but nearly the same thing happened to me. The process was running as "exe" and was apparently started with command line:
It used the same delete after run trick
exe -> /tmp/upxCYUJPIOAN0L (deleted)
I fixed my php scripts to validate any GET variables, blocked the ip, and am about to do:
allow_url_fopen = off
Thanks for the suggestion.
On my machine the script ran as "nobody" and was connecting to january.medical9.gr.jp (22.214.171.124)
From what I can tell, my server was not root kitted...(ran chkrootkit) but there where hours on end when outbound traffic was maxed out and I couldn't connect.
Killing the process didn't work.... it came back after an hour or so. Checked
/var/spool/cron and found a script called "nobody"... the culprit... that was placed there by the php hole.
Looking inside "nobody" (after moving it to my windows machine
) showed the actual ELF as a bunch of octals. The process didn't restart after removing it.
Does anyone know how to tell if it tried to upload my server files elsewhere? I've converted the octals to make an ELF, but don't know if there is more I can do. Maybe some assembly guru can just look and give an estimate on how malevolent it is ?
Anyways, I hope the cron stuff helps someone out.