Been hacked - need help...
I've been running this box for about 3 years now with no issues....until about a month ago. I am running CentOS on a VM hosted by a web company. I administrate the box by myself.
It hosts a forum website (SMF).
The website started going down hard and was completely unresponsive 3-4 times a day. The only solution was to have the host hard boot it. The web hosting company just kept telling me it was running out of memory and I needed to pay to upgrade to a larger package which had more memory. I refused to accept this. My site isnt that big and no changes had been made. Why had it been running ok for 3 years and now its a problem?
In the secure log there was evidence of someone brute forcing the SSH port. I installed DenyHosts and that took care of that problem, but the site still went down regularly.
Then they (the VM host) found a script in the /tmp directory called 'back'. It appears to be a mass mailing script of some sort. i removed it and CHMOD'd the dir. Also, i disabled SMTP because I do not use it.
Now, when I do a netstat, I notice the following connection:
tcp 0 0 my.server.com:34286 126.96.36.199:62224 ESTABLISHED
(obviously edited to protect my server)
I traced the foreign address to somewhere in Japan. I had seen this same type of connection last week and didnt like it so I added that ip to be blocked by iptables. Now its back.
So can I find out what this IP is connecting to on my server? or can I only just see that its connected?
Nothing is detected by rkhunter and chkrootkit
what else can I do?
I assume I got hacked by a vulnerability in SMF as I was running an old version. I upgraded it today.