I have found some files on /tmp named like /tmp/dos-xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is an out ip. In these files is just a number, I think a counted value. I think this is ip of a victim, that has been attacked by our box, but how? I have suexec & phpsuexec installed, then owner of all files on /tmp is defined. But how can an script use nobody to execute? I think it is impossible with phpsuexec, except direct code executing throught browser. I wonder how? maybe a phpBB exploit or so? ok, but how can I prevent this to repeat again? I have not found any log to show me that how these files created and accessed. If be fair, I dont know how exactly use egrep to find a record related to this issue. Any idea may help me & others to find a solution for this issue. Thanks.