server hacked using PHP 5.x Remote Code Execution Exploit Haven't been able to find much information on cleaning out this exploit. I believe it was a hack that allowed the server to be used in a botnet. There were several pids with www-data as the user using a lot of cpu. Here is what I got: netstat -tenp| grep $29148 tcp 0 0 x.x.x.x:40088 220.127.116.11:5190 ESTABLISHED 33 909978212 29148/mingetty tty7 netstat -tenp| grep $19611 tcp 0 0 x.x.x.x:52626 18.104.22.168:80 ESTABLISHED 33 909251230 19611/sshd netstat -tenp| grep $10853 tcp 0 0 x.x.x.x:60819 22.214.171.124:6667 ESTABLISHED 33 909453237 10853/xauditd I blocked those ip's and rebooted the server. I also added a password for user www-data just in case. Then an hour later another one showed up. I blocked that ip and killed the pid. Some hours later there was one more. Also, those ports, 60819, 52626, and 40088 are not open in the ispconfig firewall (the x.x.x.x are the server ip edited out). The hacker, logged in as www-data, tried to su to root but was unsuccessful. Nov 2 10:08:07 server su: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=www-data rhost= user=root Nov 2 10:08:09 server su: pam_authenticate: Authentication failure Nov 2 10:08:09 server su: FAILED su for root by www-data Nov 2 10:08:09 server su: - pts/5 www-data:root I'm setting up a new server, but I'd like to identify where this is coming from before I copy any sites over. Any ideas?