I've noticed a 0 byte file called '.ugothacked' inside /tmp owned by user (let's call him userx)
It's a 0 byte file so i wasn't immediately concerned. I simply deleted it thinking that it may have been just some lame (failed) php/cgi hack attempt.
However the same 0 byte file reappeared a couple times more after I deleted it manually.
I've gone through the http logs for this user and haven't found anything suspicious although i only skimped through it.
I grepped through userx's entire homedir search for the string 'hacked' in all his files and nothing came up ...
So I am getting a little tired of playing this cat and mouse with whoever it is and was wondering if the more experienced folks here would have any tips as to how to trap/catch this guy in the act ie. at least find out what sort of process is writing that file and who/where/from where it was started.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance