Hi,
I noticed this morning that my server was performing sluggishly, and upon viewing top, could see a high load caused by perl and high softIRQ levels. My server was also dumping 35mbps of traffic on various IP addresses, obviously part of a DOS attack.

I tracked the offending script down, called "apache.pl", which was located in /tmp.

Viewing the script, it was clearly a DOS one, as it had [victim] etc in the code.

I deleted the file and killed all the processes, ending the attack.

I've scanned with CHKROOTKIT and RKHUNTER and found nothing, yet I am concerned the box has been compromised. I've gone over messages and user accounts, and can find nothing out of the ordinary.

So I ask, if hacker got root, would they run the script from /tmp, or is it more a case of there being exploitable scripts on the server, which allowed this.

Thanks for your time.

If someone got into your system they could run it from wherever they wanted. If its running out of /tmp its likely caused by an insecure web script. Have you checked to see which user is running apache.pl?