• It sounds like your sever got owned. I have seen folks use php scripts in wordpress to gather files from other servers and basically implement a spam server all running via PHP and Perl.

    I would probably ssh in and see if there are anything scripts running in the background. If they did a good job you may need to look for hidden processes:

    http://www.cyberciti.biz/tips/linux-unix-windows-find-hidden-processes-tcp-udp-ports.htmlOpens a new window

    http://la-samhna.de/library/rootkits/detect.htmlOpens a new window

    http://www.chkrootkit.org/#testsOpens a new window

    Here are some general resources on detection and re-mediation:

    https://rimuhosting.com/knowledgebase/rimuhosting/argh-my-server-was-exploitedOpens a new window

    http://security.stackexchange.com/questions/7443/how-do-you-know-your-server-has-been-compromisedOpens a new window

    Good Luck!

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • View Best Answer in replies below

    5 Replies

    Read these next...