"sh -i" My server was hacked. How can i found hole on my server?

[Oliver Fromme]

Oleg Rusanov <freebsd-amd64 at molecon.ru> wrote:
 > My server was hacked. The CPU has been loaded on 99 % by "sh -i" process.
 >  I found out that someone has started phpshell through a hole in one of phpbb fo
 > rums.
 >   Also has filled in scripts for flud and spam and "vadim script" in
 >   "/tmp". I has made it noexec. Recently has found out the same process.
 >    May be i have left again /tmp opened, or other hole may be.
 >      What is better to do for clean my system?

If a machine has been hacked, the _only_ way to make sure
that all holes and backdoors are gone is to newfs and re-
install from CD-ROM or other know-to-be-clean media.
Better yet, remove the harddisk and keep it for further
forensic examinations.  Install a new harddisk.

After that, be sure to install the latest version of phpbb,
which has the problem fixed.  Run it inside a jail only.
When restoring your backup, only restore user data, no
executables.  Keep your base system and ports up-to-date.
Install portaudit.  Subscribe to security mailing lists.  

There's much more to say, but the above is probably the
most important.

Best regards
   Oliver

PS: When replying, please do so privately.  This issue is
not on-topic on the freebsd-amd64 list.

-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"With sufficient thrust, pigs fly just fine.  However, this
is not necessarily a good idea.  It is hard to be sure where
they are going to land, and it could be dangerous sitting
under them as they fly overhead." -- RFC 1925