In the past few days, I've monitored my RAQ4 (fully patched, as far as I'm aware) server and discovered that some less scrupulous people have hacked in somehow via http and placed various scripts into the /tmp directory.

Some of those scripts have been bind hacks... (leaving /tmp/p/bind running... ).

Others have been shell scripts that resulted in someone using my server to send a few hundred scam emails about ebay.

Any advice on what I need to doublecheck on http to lock it down so they can't do this?

--Will

who was the owner of those files? apache? nobody?
maybe they got in thru a php script?
try to install mod_security with a decent ruleset

They are owned by http. I installed an Apache patch from www.zeffie.com this AM and am monitoring for additional issues.

I'll look at mod_security as well.

Thanks.