I think my Linux Server has been hacked- Now what!?!?
I'm running a web server on Linux FC-5 with apache, php, and mysql.
I realized something was wrong when was trying to get vsftp to work on my server and found a phpinfo.php file in my html root directory. After reviewing some of the logs, i also made the following obervations: (It's possible that they may not have anything to do with the breakin.)
i found that the "operator" user belongs to the root group and "/root" is the home directory (is this normal?)
i found in my /var/log/audit/audit log (see attached file) that a user called "dave" tried to execute /usr/sbin/vsftpd (I don't have a user named "Dave" on my system)
i found in my /var/log/httpd/error_log the following notice: " [date/time] [notice] suEXEC mechanism enabled (wrapper:/usr/sbin/suexec)" (see attached file)
my network printing has stopped working
vsftpd fails to load at startup (I had it running ever since in installed the server without any error messages.)
Can someone tell me what hapened based on the information in the log files?
How can i pinpoint the exact medthod and time of the breakin?
What other files should i look at and where are they located?
I've already changed the root and operator passwords and disconnected my server from the network, but what else should do?
What intrusion detection tool works with Fedora core 5? I saw something about SNARE but I couldn't get it to work on my server
Can anyone recommend articles and/or links on how to lockdown a LAMP server?