Stopping the Hackers

Alright, I've had people hacking into one of my servers for at least half a year. This server has a large number of sites on it and I've patched up most of the software with known exploits but there's obviously some left. My own judgement tells me it's a vulnerability in apache, a perl or php script, that is allowing arbitrary commands to be run on files in the /tmp folder.

I regularly find files in the /tmp folder on this server, from IRC bots to UDP flooders designed for DOS attacks. I've seen perl, wget and sh be run by the apache user on files downloaded to /tmp (the only place any of these people have been able to get files onto my server) to execute them.

So, since I've failed at being able to track down all ways these people are getting the files on my server, I want to simply stop them from running the programs they manage to download into /tmp.

Is there an easy way to delete everything in /tmp other than the sess_ files and lost+found files that should be there? I can just stick this script, however it'll work, into cron to run every minute, for example.

Sound good? Any help?

 

 

 

 

Top