My server is compromised?

[avik]

In the list of processes of the server, I have seen these processes:
------------------
root 27596 0.0 0.0 2072 920 ? S 16:27 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
nobody 28563 0.0 0.0 1380 376 ? S 16:32 0:00 ./tty
nobody 28564 0.0 0.0 2100 1080 ttyp0 S 16:32 0:00 \_ sh -i
-------------------

In my terminal program (SSH) I have received the message of such kind:

==============
Broadcast.............................. (i remember only it)

If you see this message, write to me to this address: "email"
===============

I have written to him. He has answered, that my server is hacked and also he can remove vulnerability, if I shall open to him an account.



What you can to me advise?

cPanel.net Support Ticket Number:

[casey]

Well don't give him an account, whatever you do!

cPanel.net Support Ticket Number:

[DWHS.net]

I would ask him how he hacked it and let us know

Maybe offer a small price $20 for him to show you what he did. Then you can get his information from the payment method.

He's not too bad to contact you, usually they just look for cc's and delete everything. So I have been told .

Sorry about your mis-fortune and hope all turns out well.

I would back up the server and move everything to a new server ASAP.

cPanel.net Support Ticket Number:

[avik]

Yes, I shall not open for him an account.

I nevertheless think there is a vulnerability.
The remote user can run commands with the rights nobody.

cPanel.net Support Ticket Number:

[MattDr2]

Make sure noone on your server is running an outdated version of the PHP version of YaBB. (YaBBSE)

There's a bug that allows users to upload scripts & compile & execute them as user nobody...

Regards,
Matt

cPanel.net Support Ticket Number: