Alarm Level Changes

The exploit was in a WP module which you can install fresh from the dev site.
Unless you can be 100% certain of the initial attack time and have hard backups from before that date them I'm afraid your backups trustworthiness is tainted. It only takes a simple passthru, call, system (etc) function placed anywhere in one of your existing static files and you're going to be going round in circles.
If you have database backups you'd be better off installing a fresh, up to date copy of word press and you extra libraries from the developers website(s) and restoring your db.

Surely the backups will have the corruption, The attack has come from a php file in wordpress.

OK thanks for all your advice.

this is highly recommended. It's the only way you can be 100% that there is no security hole on your server.

If you have backups now is the time to restore from them.
Once the attacker can write to your web root introducing further backdoors and webshells is a trivial matter and common practice.

There was a privilege escalation bug introduced in 2.6.39 (see CVE-2012-0056).

If you have found the bad script and patched it ,you should be secure.
i find it hard to believe they were able to escalate to root privileges if you are running the *current* ovh kernel.

It seems I have been attacked via the timthumb.php vulnerability. Things have settled down and I have updated the offending file.

Does anyone know what may have happened during this hack. Will I need to completely reinstall my server? Is there a way to check or get rid of any harm?

Apart from the bandwidth and cpu nothing else seems to be happening.

Still wouldn't explain why it's running as apache.
As yonatan said, box was probably compromised through web app and a perl bot (DoS or automated scanning) was introduced. Would account for the cpu and b/w usage.

Doesn't the OVH monitoring tool use Perl? (On windows it does, unsure about the Linux version) That's assuming you have the OVH monitoring active in your manager.

In which case it's possible every time a connection is made to monitor it might be creating a new instance?

Regards
Christian

unless you are running a perl based application from apache, it would seem that your web server is compromised and used by a "perl bot".

you might want to strace the PID of perl in order to get more details about what exactly is going on.

Thanks Mark for you reply, it seems there about 8 separate causes. I was hoping someone might guide me in the right direction

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3166 apache 20 0 33624 1620 916 R 100.0 0.0 7576:53 perl
32419 apache 20 0 37928 3220 916 R 100.0 0.0 730:59.07 perl
31020 apache 20 0 33624 1024 396 R 98.0 0.0 251:43.72 perl
31019 apache 20 0 33624 1028 396 R 94.1 0.0 252:12.88 perl
3360 apache 20 0 33624 1612 916 R 90.2 0.0 7574:20 perl
29033 apache 20 0 33624 1692 952 R 90.2 0.0 3373:57 perl
30020 apache 20 0 33752 1344 940 R 84.3 0.0 5874:51 perl
31022 apache 20 0 33624 1068 388 R 84.3 0.0 250:43.99 perl

From OVH, I must say that we cannot help you much. Being a dedicated server, we cannot see what's happening in it.
If a single process is getting 100% CPU, I suggest you to check the script for loops, or for bugs on the code.
Maybe someone else in the forum can give you more help. Sorry about it

Ok, it seems each time it's the command perl thats causing the cpu it hit 100%, is this right? Can I stop it?

I keep getting lots of emails regarding alarm levels changed. Please can somebody help with with what's causing these. Lately I have also seen a massive increase in outgoing bandwidth, sometimes up to 800/900 Mb/s, from a usual speed of around 10mb/s or less. Could these be the same thing?

Regards

Gary