> Yes the compromised server was a fc1+bq. We have a few websites running
> on this server and we have a feeling that the user might have come
> through one of the php-enabled sites. One had a forum on it, we've
> removed that one, but the backdoor is still active (the server is
> unavailable for a few hours every night now).
>
> Today I was working on the server (ssh) when I noticed that an -bash job
> was connected to apache (ps -aux). I have a feeling that this might have
> something to do with the hack.
> I have a feeling that there is an insecure php-script running on the
> server that the hacker has used. We've now turned safe mode on. (Btw:
> with safe mode on the bq admin doesn't work, which is a bad thing).
> BlueQuartz should run in php safe mode.
>
> I ran chkrootkit and also found that there was a worm going on. That was
> the last thing I found out before the connection froze and I wasn't able
> to get in touch with the server. But I'll try again at 05.00 tomorrow
> morning.
Great info, thanks! Regarding running BQ in php safe mode, I don't think
that it will ever be possible without major rewrite. BQ admin application
must have possibility of r+w to system (usually root) files, restart
daemons, etc..
Cheers,
Vlado