Have you tried mounting /tmp with the noexec flag? On Thu, 2010-04-15 at 17:36 -0400, Chris wrote: > I have some web servers which occasionally have hacks that are uploaded that > change their name to look like apache and somehow get apache to send requests > to them. The result is that people somewhat randomly get pages advertising > self enhancing drugs etc. The hacks are perl scripts, but they are run from > /tmp and then deleted. Trying to get anything out of /proc/pid/fd/whatever > just yields an empty file. Anyone have any ideas on how to recover the > original script? Right now I just have a process checking for them and > whacking them when I see them, but I'd like to know more about them to actually > prevent them from happening. > > Any thoughts would be appreciated! > > Chris > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
