Incoming from Ross Tsolakidis: > > One of our webservers seems to get compromised on a daily basis. > When I do a ps ax I see these processes all the time. > > 18687 ? S 0:00 shell > 18701 ? Z 0:00 [sh <defunct>] > 18704 ? T 0:00 ./3 200.177.162.185 1524
I vaguely remember that "3" in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
