Im running Apache 1.3.33 server. Most of the modules are enabled on the server such as mod_gzip. I have found many trojans, rootkits under my server's /tmp directory. Also i have found the following entries on my servers error log file:

h: line 2: /tmp/cmdtemp: Permission denied
--08:10:22-- [geocities.com...]
=> `cbk.tar.gz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 143,715 [application/x-gzip]

0K .......... .......... .......... .......... .......... 35% 213.68 KB/s
50K .......... .......... .......... .......... .......... 71% 337.84 KB/s
100K .......... .......... .......... .......... 100% 517.27 KB/s

08:10:22 (305.10 KB/s) - `cbk.tar.gz' saved [143715/143715]

Then someone seems to be unzipped this file and executed it on the server.

Now my question is how can this happen and how can i prevent such actions?

Please let me know if you need any more info about the situation.
thanks,
hebe.

[edited by: jatar_k at 4:40 pm (utc) on Sep. 18, 2005]
[edit reason] examplified [/edit]