We have an intrusion which looks like an automated script which buries itself in a hidden directory in /tmp directory. This script is basically a combination of 2 files
"awstats.pl" and links.txt. What it does is, it starts sending out an email portraying itself as a BANK to the all the addresses in .txt file.
This was the 4th time it attacked us since april 23. We had no choice other than taking the server off the network. Any ideas, suggestions on how to protect port 80 with these kind of attacks?