I had a similar encounter about 2 months ago. The intruder exploited a
PHP script that was poorly written. If you check your http access logs,
you will most likely find an entry about the PHP that is been exploited.
Once you find the offending PHP script, you can either remove it or
add an exit(0); on top of the script so that it does not accept any
input. If you are a good PHP programmer, you could fix the script so
that it validates whatever input its getting.
if PHP is the entry point, then take a look at
- libapache2-mod-suphp
- PHP SAFE-Mode
- PHP Basedir
- set 'allow_url_fopen = Off' in your php.ini
they help. Also make sure, that there is no
writeable directory for the apache user.