Is my site getting hacked?

I tried to ssh into a site that I have and was greeted with an error
message:

-bash: fork: Resource temporarily unavailable
-bash-2.05b$

After sending a ticket to my host, I get a response saying the
following:

    Someone is exploiting the code on yoru site to run local things
in /tmp, not
    sure how they're exploiting it, but they sit in the background,
and thus you
    get the fork warning.

Being fairly new to RoR, I went through everything I could think of...
checking to make sure permissions are correct, looking through log
files, etc, and came up with nothing. I tried getting more info from
the host, to find out what was running and if there was any more
information I could get to try and stop it and this is what he says
back:

    Not sure what they're running, whatever it is deletes the source
after it's
    started. It hides itself as exim queue runners.

Has anyone had problems like this? I have no idea what I can do to
track this down or if it's something even caused by my rails site in
the first place. It's running v1.1.6 on CentOS 3.8 if any of that
helps. Through my searching I found this article:
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure/
but have no idea if that even has anything to do with the problems
that I am having now.

The immediate question is probably: how did they get in? If you
have a virtual host you haven't locked down then there are a huge
number of vectors for getting access.

-faisal

Also, if at all possible you want to take the site offline to do
forensics, and possibly do a clean reinstall.

-faisal

Josh-

  You absolutely can't trust anything on that server anymore. You shoudl make a backup of your data and stuff you need and then wipe the server and reinstall. Once you are compromised you cannot trust the system any more period. The only safe thing to do is wipe clean and reinstall.

Cheers-

-- Ezra Zygmuntowicz-- Lead Rails Evangelist
-- ez@engineyard.com
-- Engine Yard, Serious Rails Hosting
-- (866) 518-YARD (9273)

Any ideas how it happened in the first place? I'm fine with wiping it
clean, but I want to make sure that if it was something that I did, I
won't do it again. Or at least know what things to watch for.

Thanks for the reply

Josh

Always worthwhile setting up Samhain (http://www.la-samhna.de/
samhain/) on a new box :slight_smile:

Need more information. RoR itself is pretty secure if you haven't
inadvertently coded in any code/sql injection or XSS holes. Are you
treating user-provided input as SQL or ruby/system calls without
escaping it?

Maybe they got in another way? Are you passwords secure? If you have
sshd listening to port 22 and have very simple usernames and
passwords, you're liable to get hacked.