Posted by: Anonymous Coward
on March 31, 2005 12:43 AM
To prevent any defacements, make sure the user for httpd can't write to the web directories unless it is absolutely necessary.
When one of my servers was compromised, I could not find where the rootkit and IRC bot were running from. If you look at the PID of any strange processes,<nobr> <wbr></nobr>/proc/$PID/cwd is a symlink to the working directory of the process.
Learn about Linux
Download Linux
Get Linux help
A few more hints
Posted by: Anonymous Coward on March 31, 2005 12:43 AMWhen one of my servers was compromised, I could not find where the rootkit and IRC bot were running from. If you look at the PID of any strange processes,<nobr> <wbr></nobr>/proc/$PID/cwd is a symlink to the working directory of the process.
Good luck!
#