Hacked Version 1.29.7

[tlchost]

looks like an arp spoofing attack for me, we got this kind of problem sometimes too, datacenter should responsible for this.

One of the files is owned by Apache, which suggests if came in via php or cgi.

If I recall, the two files below are created by a script that has this description

Data Cha0s Perl Connect Back Backdoor

drwxrwxrwt 2 root root 1024 Feb 5 14:51 .font-unix
drwxrwxrwt 2 root root 1024 Feb 5 14:51 .ICE-unix

 

[hostpc.com]

If anyone needs help with this - or isolating / hardening, gimme a hollar, I'll help you out in my spare time at no charge.

 

[jackc]

One of the files is owned by Apache, which suggests if came in via php or cgi.

If I recall, the two files below are created by a script that has this description

Data Cha0s Perl Connect Back Backdoor

drwxrwxrwt 2 root root 1024 Feb 5 14:51 .font-unix
drwxrwxrwt 2 root root 1024 Feb 5 14:51 .ICE-unix

file owned by apache is normal in /tmp, .font-unix and .ICE-unix are directories created by system programs, which are normal as well. if his /tmp is secure, then there won't be a problem.
Since he said all websites on his servers had been inserted iframe code and the datacenter solved the problem later, I'm pretty sure it's arp attack, because arp attack can insert iframe codes into every websites on the lan easily if there is no arp attack protection.

 

[tlchost]

file owned by apache is normal in /tmp, .font-unix and .ICE-unix are directories created by system programs, which are normal as well. if his /tmp is secure, then there won't be a problem.

Ah...thanks for the clarification