Hello,
We just got on of our servers hacked.
Seems that first hackers used XSS exploits to upload some scripts.
We secured that with latest mod_sec rules from gotroot.com
Unfortunately we did not find those uploaded scripts.
And now when they cannot use XSS anymore they used those scripts to find the users and passwords from the server.
They listed users from /var/mail and changed the passwords of account.
Then they connected to ftp and uploaded/deleted files from the other accounts.
Also they inserted iframes in others.
I am installing suhosin now and put php in safe_mode for now and disabled functions: exec, popen, pclose, ini_set
Also they have a perl script that can make symlinks to other accounts: they used the function symlink() from perl.
How can I disable that for perl?
I will update you on how it's going and you are welcome to let me know some tips on how to secure it better
PS: the script name is EgY SpIdEr ShElL