I have a client who has now been hacked twice. The machine is CentOS 4.3 with the latest version of DirectAdmin, a popular control panel for shared web hosting. The first time, he simply had high load averages on his box with very little CPU utilization; not much else that would lead you to believe it was hacked.

We reloaded his OS and everything was fine for a week or two. Now, twice in the past 48 hours, i've received abuse complaints, stating that one of his clients was serving up a phishing site. The site is obviously being spammed via email or similar. It is obvious that the owner of the website is not responsible, as the files are in the directory owner's name, which automatically excludes things like apache or php from being the culprit (they run as 'apache' or as 'nobody', not as the webhosting user). The owner of the site is presumed innocent because I can't find any record of him ever uploading the phishing files via ftp, etc.

I do feel bad for my client who owns the server. It's obvious that some program in DirectAdmin has a major vulnerability which is causing his box to get rooted. I'll bet that the developers of the software (exim, php, etc.) probably don't even know something is vulnerable. What a shame.