My server has been hacked again. Please Help me!

Are you literally running RH9? That is an incredibly old release that is open to who knows how many exploits.

If the attacker gains root it is hard to block them from doing much. A properly configured firewall can help block a backdoor like that from working but if they have root wiping the iptables rule would allow it to work.

What kernel were you running when you got exploited? You probably need to update it or get an entirely new OS.

 

Thanks for posting this, now even more hackers will have that backdoor and exploits.

Seriously dude, you still have a RH 9 install disk? That belongs in a museum.

RH9 was released like 5 years ago, and even at that time it wasn't that good. The RH series was totally discontinued after that, and is now RHE. RHE 5 is out, or if you want a free OS go with CentOS 5.

 

Your server is definitely rooted and cannot be cleaned up. The best way it to re-install the machine and apply some security tweaks.

The most important is your kernel which need to be kept updated as such rootkits are uploaded using a security hole in the kernel. You can then enable Apache suexec, PHP suexec, enable open_basedir, disable some php functions using which server side commands can be executed, install CSF firewall, mount /tmp and /dev/shm with noexec,nosuid mode and a few other important changes.