Something uploading a VOIP hack to my /tmp folder
Posted on 2011-02-16
With the much appreciated help of one of the experts on this fantastic resource, I have succeeded in hardening my CentOS 5.5 root access by using SUDO. However, someone or something is continually uploading a file called test.tgz to my system, unpacking it and running a VOIP hack called ALOHA. I delete the /tmp/aloha folder and all files, including the test.tgz file but within hours it's back again!
I know I could rebuild the server and use rsync to copy all the websites across to the new server. I know I could migrate all the databases on the server to the new server but there is absolutely nothing stopping this person from coming onto the new server and doing it all over again. Because the server is a production server, I cannot rename it or re-IP it.
A step by step tutorial or help getting either this server hardened to the point where this cannot happen again or, if I build a new server, how to ensure this sort of thing can't happen there, would be sincerely appreciated.