<snip> > The problem is that leaving cacti open was the most stupid thing I've done. > After checking /var/log/httpd/error_log, I saw that someone exploited a > cacti php file and the result was: <snip> > which immediately downloaded ShellBOT to /tmp and executed it. It was a good > thing I caught this as early as I did. So, what's everyone elses solution > these days? Or is it simply a matter of creating a /tmp partition and > mounting it noexec? <snip> Using htaccess in addition to the built-in Cacti auth might be helpful. What version of Cacti were you running? Something like mod_security might be helpful as well. Dave