Apache got hacked... bash command running all the time but I can't find it


I don’t know if I’m posting in the right section… my apologizes if I don’t. I’m not really familiar with opensuse and we got our apache server (running opensuse 11.2) hacked yesterday and I see doing a lsof -i that a bash command using account wwwrun connects all the time to a botnet ircu.krypt.com and even if I kill it, it reconnects again and again.

I’ve clean the /tmp folder, I’ve check the crontab but I can’t find it.

Does anyone has an idea where I can find a lead to fix it?

Kindly Regards,

Take it offline and rebuild the machine.

Hi and thx for the suggestion. It’s the second time in a month that this behaviour happens and we rebuild already last time… As I m not familiar with opensuse, and I would like to not rebuild it each month… do you know if there exists a kind of command to check on the security status of the server.

for example, in gentoo, it exists the “glsa-check”. If I rebuild it and there is a major security, I think it needs to be fixed first… :confused:

Take it offline, get an expert to analyse where the hole exists, then fix it.

Check that Apache is up to date, that all your webapps are up to date, that you don’t have any holes in your custom apps.

Unfortunately webapp security is not something that can be communicated in a forum thread. If you are using a particular webapp, ask on their forums what issues exist.

Many thanks for your reply. I finally find the script and I fix it. I’ll try to find out where the security breach is now.

Have a great day.

Kindly Regards,

Try running an audit tool and find the cause… doesn’t matter if you only clear the ‘noise’.