Today I noticed unusual high request rate on Apache webserver and also quite high incoming network traffic. Upon checking Apache's mod_status page, I found the offending URLs to be from path www.server.com/www/wp-includes/js/tinymce/plugins/wpautoresize/
. And indeed I have found several hacked (obfuscated) PHP scripts there.
Also noticed weird process executed by www-data user:
www-data 7300 10.8 0.1 2122900 18768 ? Ssl Jul11 121:47 /usr/bin/host
Checking /proc/7300/cmdline
revealed that indeed this is the original /usr/bin/host
binary. netstat -anp
showed it has many HTTP connections opened, so somehow that binary is abused. debsums
confirmed the binary checksum to be OK. As the process was run under www-data user, I had no reason to believe server itself was compromised.
How is that binary abused?
EDIT: This not broad "how to deal with compromised server" question. Rather a question (and already an answer) about one specific type of abuse how is it technically done, as this particular case is quite creative in how it works. It seems this is in wild for several years now (old threads & questions from 2012) and I encountered it this week.