-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Aug 09, 2006 at 12:29:14PM -0400, Drew Weaver wrote: > If they got in via SSH and all they did was deface his website > they must be stand-up guys, huh? Most likely they just wrote an > executable to his /tmp directory and then used apache's amazing > recursion checking to execute it. This is the most common case I've seen > on the dozens of cPanel 'hacks' I've encountered. /tmp, /var/tmp and /dev/shm based compromizes do seem to account for 70%+ of the hacking on cPanel servers these days. I blame canned script kiddies tools for that. It is simply the easiest way to go. Usually you will have a perl script there, so even nodev,noexec won't stop that. []s - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE2g3FpdyWzQ5b5ckRAmWkAJ4g1IJjWeGnGJspIhfvl5AciIWF0QCgjLss zmtRb/dBOc+h3G8eMmBP0mA= =dwM5 -----END PGP SIGNATURE-----