help i've been hacked. :(

[Chris W. Parker]

Hello,

Currently the box is off the network but I have not been able to find
any clues as to how it was exploited (though it's probably through an
unpatched vulnerability).

The network card is continuously set to promiscuous mode and I cannot
shut off any services using the 'service' command. Also my grep binary
is destroyed periodically (about every minute or so).

If I take the card out of promiscuous mode with 'ifconfig eth0 -promisc'
almost all commands I do set it back. Typing 'cat' will set it back into
promiscuous mode (I can tell because one or more times the message
'promiscuous mode set' will appear on the screen), etc.

With 'netstat --inet -a' I can see a connection to an irc server.

What I need to find out is how far they've penetrated the network (have
they been able to sniff and compromise passwords?) and what the purpose
of the hack is. Is it to send spam? Is it to spread warez? etc.

The very last log line in /var/log/secure is 'SSHD[nnn]: Bad protocol
version identification `NICK mamef` from 82.77.26.80'. I thought maybe
'nick mamef' would hint at an exploit somewhere but Google didn't return
any useful info.

This box is just used as a webserver. My plan at this point is to take
the SSL keys off the server, verify that my backups from a few days ago
are working (php files and MySQL dump) and then reinstall with something
like FC4.

Also, I noticed that with 'ps -A' there are A LOT of awk and cat
proccesses. A lot of them say <defunct> next to their name.


What should I do? How can I figure out what's going on?



Thanks,
Chris.