Somebody apparently tried to hack my tiny server today. It's a LAMP server: Fedora core 12, Apache, mySQL, PHP on an AMD 64.
My server hung, so I rebooted the system and looked in the httpd log. I found repeated instances of this command near the time of the crash:
18.104.22.168 - - [28/Apr/2010:09:17:46 -0400] "POST /wp-content/uploads/2009/10/anpdyv8v.php? HTTP/1.0" 200 2 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)"
The file anpdyv8v.php was dated 24/APR/2010, but the directory is a dated directory for graphic images posted to the blog in Oct 2009, so I know it's not mine, and I know it appeared recently.
The file consists of a single php "eval(base64 decode" statement, which is pretty clearly an encrypted application file in php.
I changed the ownership of the file so apache can't read it anymore ( it was owned by apache.web, which is the account under which apache runs), but I'm very concerned that somebody was able to post a rogue file on my server as "apache."
How did they do that, and how can I prevent them from doing it again?
BTW, the IP address traces to a server in Belarus.
Thanks for any and all suggestions in advance.