Index files hacked

[midadala]

Hi,
We have linux web server with more than 1000 websites. Hackers are hacking the index files of this server using perl script which is uploaded /tmp directory .
php -m is giving the below output

[PHP Modules]
bz2
calendar
ctype
curl
date
dbase
dom
exif
filter
ftp
gd
gettext
gmp
hash
iconv
imap
ionCube Loader
json
ldap
libxml
mbstring
mcrypt
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
standard
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
zip
zlib

[Zend Modules]
the ionCube PHP Loader

[Irithori]

The php module list doesnt help much.

Did you already identify, how the attack was done?
Are you 100% sure, that your server is compromised?
Because then the only logic solution is to shut it down,
rebuild another machine, sanitize the data, transfer the data and start the sites on the new machine.

[Kloschüssel]

steps to do:
* confirm that your server has been compromised
* inform your customers that you're going to shut down the service as long as this issue is not resolved as you really care for the safety of customers data
* restrict the access to this server to a limited number of IPs (only your engineers should access the server)
* identify the damage done
* then determine what steps need to be taken to clean customers data
* then set up a new server from scratch
* take all steps needed to secure the server and prevent that this incident can happen anymore
* finally import the customers data, nicely cleaned up and checked that it doesn't contain any malicious stuff

if in this process you find out that it was one of your customers fault blame him in public and send him a huge bill .. *joking*