My 2 cents :)
It may be a simple web form exploit or something more serious and they have no guarantee that it won't be exploited again and again.
I'm not a security expert but used to hang out with hackers back when it was just starting to be illegal and have a good understanding of how they think and operate. I'm perfectly capable of doing such things but thankfully hacking never appealed to me :) Good hackers will patch your system in ways you would never detect... for that matter you'd never even know they were there... they won't show up in a process list, you won't find their files searching for them, they eliminate any trace of themselves in logs, and you probably won't find their back door unless they're amateur 'script kiddies'. Fortunately MOST hacker attacks are script kiddies. You'll usually find traces of their attack in logs and temp folders.

The 'clean and recover' method will never give you 100% certainty that you've eliminated the exploit. The machine could have patched binaries all over the place. I have cleaned up such messes before; it can be very time consuming. Even if you find how they got in, how can you ever be completely sure you've stopped them from getting back in without building an new instance to replace it?

The safest way to deal with it is to build a hardened server from scratch; before loading data:

change all passwords/etc on the new server
generate new ssh keys if they exist
install mod_ssl, intrusion detection, and fail2ban/denyhosts
re-write applications NOT to use register_globals in PHP and turn it off
turn up logging
migrate the applications/data to it after checking logs for clues of exploit and fix before migrating.

The data center can probably give them some information to help them find where their server was exploited.

JD

On Tue, Feb 16, 2010 at 1:50 PM, James Finstrom <jfinstrom@rhinoequipment.com> wrote:

Greetings,

Hello all a customer contacted me today and they appear to have a root kit or some other software placed on their system that is causing it to act as a proxy used in attacks on other servers causing their ISP to kill em. They prefer to clean and recover over re-install. There system is Centos 5 but no other details are available. If your a security person and would like to consult this client Please email me for contact information.

Thanks,

--
James Finstrom
Rhino Equipment Corp.
http://rhinoequipment.com ~ http://postug.com
Phone: 1-877-RHINO-T1 ~ FAX: +1 (480) 961-1826
Twitter: http://twitter.com/rhinoequipment
IP: guest@asterisk.rhinoequipment.com

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--
JD Austin
Twin Geckos Technology Services LLC
jd@twingeckos.com
Voice: 480.288.8195x201
Fax: 480.406.6753
http://www.twingeckos.com

"Being powerful is like being a lady. If you have to tell people, you aren't." - M. Thatcher