We've Been Hacked... or Have We?

hidden_fire asks: "I recently got a job as a Web Programmer at a web company that hosts many sites. The company had many badly firewalled Windows and Linux servers without any security patches, and a shared administrator password. I warned them that they needed to improve their security, but was ignored until a hacker kindly emailed them proof that their credit-card server was compromised, and the Sasser Worm took us offline. Now, I've been allowed to rebuild the compromised box and tighten our firewalling, but our other servers show many signs of possibly being compromised including unexplained outgoing traffic, a Linux kernel lockup, strange ports being open, and performance issues. I think we are possibly providing hosting for undetectable spammers but the boss thinks I'm paranoid, and says that I need to be working on paying work, not security. Has anybody else been in this situation? How can I detect these guys if their tools don't show in virus scans?"

Re:Sounds like

[PD]

Those were the days. Adminstrator discovers *one* hacker, catches him, then has enough time to write a book about it before worrying about the next one.

Tell ya what...

[FFFish]

...post the IP address here, and I'm quite certain your worst fears will be so perfectly confirmed that your boss will have no choice but to admit you were right!

Re:Sounds like

[MarkGriz]

No kidding. Try catching 'em with a teletype on a 9600 baud connection now.

Re:Tell ya what...

[Anonymous Coward]

66.35.250.150