hacked by By BeLa & BodyguarD

[shajazzi]

I am running suse 9.3 and ispconfig.
I run rkhunter regularly and never found any problems with root kits until today when all sites on my server had been hacked by By BeLa & BodyguarD
I then ran rkhunter and found nothing unusual.
Then i started to check all the files and folders in one of the sites and found that the index.php had been hacked. I replaced it with a backup and bingo i am back in business.
Is there anyway that i can find out how the hacker managed to penetrate my servers security?
By the way I googled By BeLa & BodyguarD and found that this hacker was mainly concentrating on hacking forums

shajazzi

[till]

By which linux users have the replaced files been owned?
The apache user? Do you run PHP as mode_php or SuPHP?
Do you use PHP safemode on and is your PHP up to date?
Are all the replaced index.php files from a specific Conetnt management sytsem like drupal, wordpress, typo3,... ?

[shajazzi]

The replaced files are owned by
User: wwwrun and group www,
PHP runs as mod_php
php save mode is off
rkhunter now shows php4 is not up to date
All site are running on mambo and joomla

I have notice quite a few issues since i did an apt-get upgrade on this server.
YAST ONLINE updater shows an update for php4 and updates successfully
but when i run rkhunter again it shows php4 is not upto date.
I have another server ready to run with suse 10.0, i know what you are going to say, why didn`t you install debian, the answer to this is that i could never get it to install properly on my 64bit systems and had similar problems with ubuntu. So it looks like i am stuck with suse for the time being , which i am happy with. I also have a copy of xandros linux, puppy linux and damm small linux among many others but cannot find any decent server setup suggestions around at the moment so i will leave them for later date

shajazzi