After we upgraded to 5.62 (the latest, latest version of it), on December 26th, somebody somehow uploaded files through PhotoPost that created an IRC channel program on our server (and ran it).
It was in this folder:
There were files like mybot.jpg, mybot.jpg~, iroffer.zip, xh, hira.txt, and more. I can't attach them here because it is too big. I can e-mail them to you though. Tell me where to e-mail them.
Appears to be this program: http://iroffer.org/
Also, the mybot.jpg file was a 4kb file that did not work when I tried to "view" it, and it contains this in it:
@iroffer v1.4.b01 , Linux 2.6.9-22.ELsmp
Obviously, I am very concerned about this situation and we need to know how to fix it quick!
FYI, we do not allow zip uploads.
The user that uploaded it (or at least the userid of the uploads directory where the files were) appears to be a good user that started their account in October and uploaded legitimate files at first. So maybe their account was hacked first, or the hacker somehow uploaded to their directory.
More info, in case you are wondering:
Server version: Apache/2.0.52
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)
We are on the latest updates of the OS http://forum.bodybuilding.com/photo
Please help! I don't want to wait until it happens again. We removed the program and it doesn't appear it did anything negative except act as a relayer or something for an IRC chat channel.