What kind of hack is this...???

[bhznat]

I have found some files on /tmp named like /tmp/dos-xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is an out ip. In these files is just a number, I think a counted value. I think this is ip of a victim, that has been attacked by our box, but how?

I have suexec & phpsuexec installed, then owner of all files on /tmp is defined. But how can an script use nobody to execute? I think it is impossible with phpsuexec, except direct code executing throught browser. I wonder how? maybe a phpBB exploit or so? ok, but how can I prevent this to repeat again?

I have not found any log to show me that how these files created and accessed.
If be fair, I dont know how exactly use egrep to find a record related to this issue.

Any idea may help me & others to find a solution for this issue.

Thanks.

[dgbaker]

Those are actually IP's that have been found by the apache module dos-evasive to be potentially trying to DOS your server. dos-evasive blocks the IP temporarily to try to avoid the DOS from happening.

http://nanoweb.si.kz/manual/mod_dosevasive.html

[bhznat]

WOW, nice.
For this I must say thank you so much, David.

I think this is not documented any where, becuase I found nothing with googling this.

Regards,

[sh4ka]

is there a problem if the main server IP is included in one of those files ?

[dgbaker]

Potentially yes, that can occur if you have something monitoring locally and it is hitting the webserver too often and too fast.

BTW - The name has been changed to mod_evasive. http://www.nuclearelephant.com/projects/mod_evasive/