hacked

[Stuart Sears]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Buehler wrote:
> My firewalls don't allow ssh access from other than my address and only
> with a public/private key pair.
I take it you were exploited via a PHP application of some kind?
which RH version is this?
If you are using RHEL4 (or Fedora Core >= 4) I would recommend enabling
SELinux, particularly if you are dallying with the security sieve that
PHP appears to be...

> Any help would be appreciated since this person is going to get me
> blocked because of them trying to fish for ebay and paypal
> logins/passwords.

You can no longer trust this system at all. Absolutely any of the
existing binaries could have been replaced by trojans.
Do you have physical access?
boot into a rescue environment, run your rootkit checks from there.
But IMHO you probably need to reinstall. - back up and check your
webcontent and scripts (prolly config files too).
Then reinstall the system and lock it down as tightly as possible.
(ie, iptables, tcp_wrappers, SELinux, Apache access controls...)
Checking which rootkit (if any) was installed is basically an academic
issue at this point. Removing them is not guranteed to work.

Regards

Stuart

- --
Stuart Sears RHCA RHCSS RHCX ASAP PDQ STFU
There is no time like the present for postponing what you ought to be doing.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFL1ytamPtx1brPQ4RAqDtAJ9ekF7Ngo9FwDRn8cSwbYD2b/tywACfbSve
0eM7juSruyUFoMt74Sm7nZM=
=5Qzo
-----END PGP SIGNATURE-----