Is my web server being compromised? [duplicate]

centos

Solution 1:

yes, you have been hacked. The hacker installed an IRC backdoor and you are connecting to this IRC server:

const  int port      = 1254; 
const char channel[] = "#test";
const char password[]= "pass";
const char server[]  = "heathen.cc";

The bot herder can execute any commands on your server. I recommend shutting down the server and reinstalling immediately. The bot has a few DDoS attack features, DNS flood, syn flood and ICMP flood. It also works on windows which is pretty cool. There is a really old spreading module to infect myDoom. This looks like some old malware.

Solution 2:

The answer is in any case yes, your server is being or has been compromised.

You should cut off the Internet connection to the server immediately, make a full backup (bear in mind other files may be compromised, too), and reinstall.

Also, you may want to notify the owners of the IP the bot net (or whatever this is) is run from. Here is the RIPE whois data.

Solution 3:

Never allow root login via SSH.

Related

Any way to reduce bind9 memory footprint?
How to save a perfmon Performance Counter as a textfile (Reliability and Performance Monitor Version 6.0)
Any easy way to search for & replace characters in JPG file names in a folder?
What is the dotted blue underlining when I use dictation on OS X?
What exactly do I get when I purchase an older version of Mac OS X?
What gesture is triggered by wiggling your finger on the home button? [duplicate]
Why do system information and du show drastically different numbers
Mac OS X Server 10.6.7: Disable Apache?
Why does High Sierra remove my Login Items?
OS X 10.9 Screen Sharing: disable file transfer
Does Apple have administrative control over Developer program enrollment?
Why is the CAcert root certificate not trusted on iOS devices?