Is my site getting hacked?

I tried to ssh into a site that I have and was greeted with an error message:

-bash: fork: Resource temporarily unavailable -bash-2.05b$

After sending a ticket to my host, I get a response saying the following:

    Someone is exploiting the code on yoru site to run local things in /tmp, not     sure how they're exploiting it, but they sit in the background, and thus you     get the fork warning.

Being fairly new to RoR, I went through everything I could think of... checking to make sure permissions are correct, looking through log files, etc, and came up with nothing. I tried getting more info from the host, to find out what was running and if there was any more information I could get to try and stop it and this is what he says back:

    Not sure what they're running, whatever it is deletes the source after it's     started. It hides itself as exim queue runners.

Has anyone had problems like this? I have no idea what I can do to track this down or if it's something even caused by my rails site in the first place. It's running v1.1.6 on CentOS 3.8 if any of that helps. Through my searching I found this article:

but have no idea if that even has anything to do with the problems that I am having now.

The immediate question is probably: how did they get in? If you
have a virtual host you haven't locked down then there are a huge
number of vectors for getting access.

-faisal

Also, if at all possible you want to take the site offline to do
forensics, and possibly do a clean reinstall.

-faisal

Josh-

  You absolutely can't trust anything on that server anymore. You shoudl make a backup of your data and stuff you need and then wipe the server and reinstall. Once you are compromised you cannot trust the system any more period. The only safe thing to do is wipe clean and reinstall.

Cheers-

-- Ezra Zygmuntowicz-- Lead Rails Evangelist -- ez@engineyard.com -- Engine Yard, Serious Rails Hosting -- (866) 518-YARD (9273)

Any ideas how it happened in the first place? I'm fine with wiping it clean, but I want to make sure that if it was something that I did, I won't do it again. Or at least know what things to watch for.

Thanks for the reply

Josh

Always worthwhile setting up Samhain (http://www.la-samhna.de/ samhain/) on a new box :slight_smile:

Need more information. RoR itself is pretty secure if you haven't inadvertently coded in any code/sql injection or XSS holes. Are you treating user-provided input as SQL or ruby/system calls without escaping it?

Maybe they got in another way? Are you passwords secure? If you have sshd listening to port 22 and have very simple usernames and passwords, you're liable to get hacked.