Published December 11th, 2003 by Jim O'Halloran
Spammers Compromise machines via PHP
Security Focus has a detailed analysis of a web server compromised by Spammers.
One day I noticed that one of my remote servers was sending 24 hours a day a continuous 11Kbytes stream, using the 100% of the upload bandwidth (128Kbits). This specific server is running Apache and also it acts as a mail server, but, no other network application that could send during the entire day so many traffic, was installed. So, I immediately logged into my remote machine to know what was happening, thinking that my remote box was participating in any DDoS attack, but I was totally wrong. A process list (ps -ef) would open my eyes:
It seems that the machine was compromised via a poorly written piece of PHP code (GeekLog), then used to send spam. Evil, Evil stuff.