I've reviewed some threads here, but don't quite understand everything. One of the reasons I was brought to this forum, was I was checking out an IP on a suspicious process and it brought me to this thread located here, which the member mentions this IP and even the port in their post when they asked for help:
I have CFS running and it sends me emails. I don't know how hackers can change the password of a root, but that is what they did. The host suggested I go back 3 days, no good, still the hackers were running scripts to not only bring down my site, but also other websites which I don't know.
The suspicious process running is this ..
Time: Wed Apr 4 14:40:25 2012 -0500
Uptime: 27391 seconds
Command Line (often faked in exploits):
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:42701
udp: **my IP** -> **my IP**
(**did not put my actual server IP above)
Then it lists a lot of processes I am unfamiliar with. I have no idea what this means. But after using a backup and restoring to a month earlier, I fear the culprits still have stuff going on on my server.
Where do I find a legitimate service to help clean up my server? My server will delete and rebuilt my server wiping out the websites I have had for years, along with my members, which will destroy me financially and all I've built.
Why is someone elses IP on in a script on the server? What is tcp?
Any advice is greatly appreciated!