[CentOS] server is always getting hacked

Sat Jun 27 19:31:12 UTC 2009
John R Pierce <pierce at hogranch.com>

Mag Gam wrote:
> WE have a centos 5.3 install, and our server is keep getting hacked.
> We see load averages of 500+ and see people from all over the world
> logging into our server (used last).
>
>   

what protocols are they logging on via?  what accounts? 

have you changed all the passwords and so forth, run a rootkit hunter 
like rkhunter to check for common rootkits and other incursions, and so 
forth?


> Is there a good place to start to avoid these kinds of things?
>
> For example, here is what I already did.
>
> Open up sshd port only
> setup iptables to only accept port 80 and 22
> No FTP
> No other ports are allowed according to IP Tables.
>   

what sort of website is running on port 80?   if its hosting any common 
PHP or other applications check for known exploits in those...  almost 
every major and minor PHP package, common perl CGI, etc, has had 
exploits... things like phpbb get new exploits every week and need 
frequent updating.

at this point, if your system has been hacked this badly, I would take 
it offline, clean install it with the minimum packages to support your 
applications, fully patch it, and this time making sure you leave 
selinux fully enabled, and then reconfigure and redeploy your web 
applications.