Even though I've mounted /tmp in my fstab file like this:
/tmp /tmp bind nosuid,noexec,bind 0 0
and rebooted my server, I'm still finding that someone is coming in, uploading a VOIP server to my system, and running it from the /tmp folder. I keep on deleting the directory structure that's holding the VOIP hack (called ALOHA?) but almost every morning it's back and it doesn't appear I can do much about it. The /tmp folder looks like this now:
I didn't put the .htaccess file in the /tmp folder so I'm a little suspicious of it. It contains the following:
I'm fairly new to all things CentOS/Linux so I have no idea whether the rest of the stuff in there looks "right" or not. I also have no idea how to find out how these files are being uploaded and by whom or which script on the server is allowing this type of thing to happen.
Any help would be sincerely appreciated. This is a production server with some 30 websites on it that we host for our customers, so I have to be extra cautious with any potential fixes which might stop the sites from working.
Looking forward to any help you might give.