So many tutorials on securing and making your /tmp non executable but /var/tmp can be used just as easily for spammers and hackers to run malicious scripts and can really do damage to your system. First and foremost is running php apps like phpBB, make sure you make users aware to keep these programs updated to the latest versions. In reality you should do this yourself before any problems arise and use WHMs Addon Script Manager to update all php apps running on your servers. It is so important to keep your software updated as most times update releases are either for bugs and more importantly security fixes. So I had a spammer blow 5000 emails from the /var/tmp sending these emails as nobody of course. In this case it was caught immediately as all the emails were returned undeliverable. When I noticed the excessive email load I first had to figure out were it was coming from. Upon logging into the server I was able to locate the following malicious processes running as the user nobody: Code: nobody 31385 0.0 0.0 1452 4 ? S Aug20 0:00 bash nobody 4566 0.0 0.0 1456 4 ? S 00:17 0:00 ./cgi nobody 4575 0.0 0.0 2160 104 ttyp0 S 00:17 0:00 sh -i nobody 13500 4.8 0.0 1428 184 ttyp0 R 01:02 0:54 ./f3 200.147.128.xxx 65535 10000 The processes seem to be running from /var/tmp: Code: root@server [~]# lsof -p 13500 | head -n 4 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME f3 13500 nobody cwd DIR 3,3 4096 245935 /var/tmp f3 13500 nobody rtd DIR 3,1 4096 2 / f3 13500 nobody txt REG 3,3 18132 245809 /var/tmp/f3 I entered /var/tmp and saw a host of files that werent supposed to be there and I knew right away here is the problem. I first deleted all the files except for mysql.sock, which really is the only file that should be in there, and the checked permissions: Code: root@server [/var/tmp]# ls -l -rwxrwxr-x 1 nobody nobody 18132 Aug 22 00:02 f3* No good to have this folder under nobody, insecure. So in order to prevent future problems I did the following: I killed the malicious processes, deleted all the malicious files, removed the permissions on the f3 binary and set its owner to root:root, and restricted access for the wget command to the root user only. This is a basic and simple way to secure this folder and your server but is very effective. So if you are using a /var/tmp with nobody permissions, I suggest modifying as above and save yourself some future headaches.