Mike Stent wrote: > I was hacked on the weekend and have since booted them off my server and > shut down all ports except 25,80 and 443.
Until you know exactly how they compromised your system in the first place (almost definately via a PHP app - oh, you have phpnuke.), they you won't have achieved much yet. > I have found a hack script in my /tmp and / directory and it is perl. > Are there any perl experts who could take a look at it tell me how it > came to be on my system? Google will probably help, and there are a bunch of resources out there like chkrootkit. > with 600 members so I am not so tempted to take it > offline as no damage has been done yet. Incorrect assumption- just because you found one root script, you can't assume you have found the rest. Unfortunately for you, the best advice is to wipe your system, and restore from a *known good* backup. This means original CD distribution of your OS, and just the data portions of any backups. In the real world, people try to get away with less than that (I know I have, myself). If you think there are no invisible rootkits on your machine (good luck, because they won't show up in ps or anything like that), you might just upgrade every program on your machine to the latest security level. Which OS are you running? > Also the server box runs NAT and does all its own firewalling with > iptables. Any thoughts on an external firewall? I'm thinking maybe this > might be a safer bet cause if they break into that they can't exactly do > much?? Well, if your firewal restricted *outgoing* connections instead of incoming ones, that would be a start. Otherwise it wouldn't help very much, because your problem will almost definately have come from an attack over a port that you have to leave open. Firewalls are much overrated. -jim
