Got fecked over by this a couple of times since the 23rd
[root@box httpd]# grep addpost_newpoll.php net-access_log |wc -l
<img src="https://www.ubbcentral.com/boards/images/graemlins/shocked.gif" alt="" />
Thing is Rick, you knew about the problem early on in may and it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days.... If you had a mailing list for errata updates for things like this it might save us all from having to spend a few hours mopping up the various aol and credit card phishing sites that have been installed on our servers.... Just a thought.
now to check for back doors you want to look for any folders that were writable by the user you run your webserver as "apache or httpd usually".. i had /userimages and /attachments. they'll prolly be full of phishing sites now - mine where.
check the contents of /tmp for backdoor proggies.
Then run a 'netstat -npl' to see what ports are accepting connection on your box.
For example i found an "apache" program running on 0.0.0.0:5555 which isn't right.
[root@box httpd]# telnet localhost 5555
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
:Welcome!psyBNC@ArDaN.or.id NOTICE * <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />syBNC2.3.1
more digging found this in /tmp
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.3.1 (c) 1999-2003
ArDaN Community Chat
and the cool lam3rz Group DALNet
Configuration File: ArDaN
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 3036
psyBNC2.3.1-cBtITLdDMSNp started (PID 29821)
Oh and also look at the crontab for the user your web server runs as (usually 'crontab -u apache -e')
mine was calling various scripts every minute (/var/log/cron should show you that too).