Since today we have DDOs Attacks from our Server. It starts with a simple wget.pl File in /tmp Dir, then we can see many perl processes and the Attack starts. The wget.pl file is owned by nobody but when i grep in Domlogs for "wget" or "tmp" or what ever i couldnt find anything. During the Attack i run lsof | grep PID and got: Also i have APF installed but it does not block these attacks. So i have no clue how this File goes to the tmp Directory with User nobody but i couldnt find it in the Logs. Cann anyone please help me out ?