my server seems to have been compromised. i was getting high load on server, mysql service on and off, and got this response from ev1:




any helpon this issue??

Are you running phpSuExec? If so, who is the file marked as being owned by?
If not, this gets a lot more complicated... you'll have to check the domain logs for every site on your server for any mention of nasti.txt. The logs are found at /usr/local/apache/domlogs/domainname
SSH in, and use grep for the quickest method.
The longer you take to do this, the less likely you'll find anything... log rotations will kill the evidence.

*IF* there were in fact offending processes owned by root you were compromised and will need a restore to gain full trust back in the system. Since it was in /tmp and with that name it was most likely an apache injection of some sort. While you may be able to find it in the logs do not be suprised if you are unable to find the exact method of intrustion, many attacks come in via POST requests and are not part of what is logged normally.

Out of curiosity were you running an older kernel? If so that was what caused them to gain the root access, as of late there have been a lot of exploits that do this. If you are very comfortable in your abilities you may be able to keep using the system without a restore if you are able to track everything down, though most likely that will be impossible and a restore is your best option.

This might be because of the recent 0 day cpwrap exploit. If it was a root exploit then reload the box, otherwise remove the nobody files and you should audit the box to be sure.