Hacked server with IPmech installed in /var/tmp/.aw running cronjob every minute, how do I determine how I was hacked

view full story

http://serverfault.com – One of my user accounts on an Ubuntu 10.04.3 server was hacked, and I'm not sure how. The password was strong. A cronjob was installed in my user's crontab running and executable in /var/tmp/.aw The /var/tmp/.aw directory contained a collection of executables including one called bash. I've examined my ~/.bash_history and found some very suspicious stuff. I provide the relevant snippets below. w ls passwd cd /var/tmp w ls wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/... w wget http://download.microsoft.com/download/w (HowTos)