[CentOS] httpd - mysql - paypal.com.tar - hacker

Fri Aug 21 21:08:43 UTC 2009
Gregory P. Ennis <PoMec at PoMec.Net>

Everyone,

This morning I received a notice from PayPal that one of our sites got
hacked and was spoofing a PayPal web site. 

When I checked the the site, I was surprised to find they were correct.
About 5 days a go we had a server that got hacked and somehow the file
paypal.com.tar got uploaded to our server and then stored in a a
subdirectory of /var/www/.

I had previously started a mysqld server and planned on using it for web
authorizations.  I had not been able to work on it, but left it in
place.  I looked like the hacker downloaded his paypal spoof files into
a subdirectory of /var/www/phpmyadmin.

I am running 5.3 with all current updates.

I do not have telnet or ftp active on this server, and have password
authentication of sshd turned off.  

I have tried to obtain dialog with PayPal about this but they have not
responded to my queries.  If any of you have had some experience with
this I would be interested in knowing how this may have happened.  I
have shutdown the mysqld server as well as removed access in httpd.conf
of the /var/www/phpmyadmin directory in order to shutdown the spoofing
site.

If any of you have a leg up on this I would appreciate your help.

Greg Ennis
P.S. I found the following entry in my error_log of /var/log/httpd/ :

[Sun Aug 16 04:26:19 2009] [info] Server built: Jul 14 2009 06:02:39
--00:21:14--  http://code.go.ro/paypal.com.tar
Resolving code.go.ro... 81.196.20.134
Connecting to code.go.ro|81.196.20.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 645120 (630K) [application/x-tar]
Saving to: `paypal.com.tar'

  0K .......... .......... .......... .......... ..........  7% 70.0K 8s
 50K .......... .......... .......... .......... .......... 15%  265K 5s
100K .......... .......... .......... .......... .......... 23%  284K 3s
150K .......... .......... .......... .......... .......... 31% 1.81M 2s
200K .......... .......... .......... .......... .......... 39% 1.79M 2s
250K .......... .......... .......... .......... .......... 47%  323K 1s
300K .......... .......... .......... .......... .......... 55% 1.80M 1s
350K .......... .......... .......... .......... .......... 63% 1.76M 1s
400K .......... .......... .......... .......... .......... 71%  431K 1s
450K .......... .......... .......... .......... .......... 79% 1.77M 0s
500K .......... .......... .......... .......... .......... 87% 1.75M 0s
550K .......... .......... .......... .......... .......... 95% 1.82M 0s
600K .......... .......... ..........                      100%
1.87M=1.6s
00:21:16 (405 KB/s) - `paypal.com.tar' saved [645120/645120]

sh: line 0: cd: pma: Not a directory

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error exit delayed from previous errors