My 2 cents :)
It may be a simple web form exploit or something more serious and they have no guarantee that it won't be exploited again and again.
I'm not a security expert but used to hang out with hackers back when it was just starting to be illegal and have a good understanding of how they think and operate. I'm perfectly capable of doing such things but thankfully hacking never appealed to me :) Good hackers will patch your system in ways you would never detect... for that matter you'd never even know they were there... they won't show up in a process list, you won't find their files searching for them, they eliminate any trace of themselves in logs, and you probably won't find their back door unless they're amateur 'script kiddies'. Fortunately MOST hacker attacks are script kiddies. You'll usually find traces of their attack in logs and temp folders.
The 'clean and recover' method will never give you 100% certainty that you've eliminated the exploit. The machine could have patched binaries all over the place. I have cleaned up such messes before; it can be very time consuming. Even if you find how they got in, how can you ever be completely sure you've stopped them from getting back in without building an new instance to replace it?
The safest way to deal with it is to build a hardened server from scratch; before loading data:
Greetings,Hello all a customer contacted me today and they appear to have a root kit or some other software placed on their system that is causing it to act as a proxy used in attacks on other servers causing their ISP to kill em. They prefer to clean and recover over re-install. There system is Centos 5 but no other details are available. If your a security person and would like to consult this client Please email me for contact information.Thanks,
--
James Finstrom
Rhino Equipment Corp.
http://rhinoequipment.com ~ http://postug.com
Phone: 1-877-RHINO-T1 ~ FAX: +1 (480) 961-1826
Twitter: http://twitter.com/rhinoequipment
IP: guest@asterisk.rhinoequipment.com
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss