On Tuesday 12 August 2008 10:16, Rainer Duffner wrote: > Anything in /tmp ? > > Disable register_globals and allow_url_fopen. > Set open_basedir for any virtual hosts to the absolute minimum. allow_url_fopen was enabled on one of many sites. A developer put in an unsafe php include(). This allowed the w0rm to run a remote PHP script which used exec() to fetch and spawn the shellbot. Pretty standard. But it also did a decent job of removing itself from the filesystem. Lucky I noticed the weird process this morning, no harm done it seems. I have mod_security installed now, but I tested a similar attack, and sadly, it still succeeds as long as allow_url_fopen is on. But this is not CentOS related. cheers Sam