This is an update to a subject that has been bashed to death however its an important one and should not be ignored.
Recently, we have seen a huge increase in psybnc and other nasties being installed into the /tmp directory on many webservers. After careful analysis and many hours of investigation it has come to our attention that 90% of these installations have been by way of lwp-download, lwp-rget and a few other binaries that most people dont have secured, not even in mod_security.
I highly recommend that you execute the following on your boxes to limit access to lwp-* binaries.
chmod 750 /usr/bin/lwp-*
In addition, if you are running FreeBSD you should execute the above command on fetch but this could cause a problem with billing systems that rely on posting back from Paypal as has been our experience. If you're running a billing system on a pariticular box, chmod 750 on fetch is not recommended.
You should also have lynx chmod 750. The script kiddies has gotten real smart lately. Wget is rarely used now and lynx seems to be one of the choices
chmod 750 /usr/bin/lynx
...and dont forget about the others
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
chmod 000 /var/spool/samba/
chmod 000 /var/mail/vbox/
and last but certainly not least
chmod 000 /usr/local/games/ <-- seen many exploits placed here
As always keep your boxes updated and read your security audit reports.
EOF