exploits in /tmp folder

Hi
On one of my server I have just fund a new folder /tmp/test/ containing 5 files for sending spam. The folder was created today at 18:34, and the spammer sent only 3 emails to some test addresses. But I am affraid he will come back in the next hours.

I searched in access_log and I found no unususal urls accesed at the time when the folder was created. What should I do next? How can someone create a folder in /tmp folder?

 

I would start with rkhunter and see it's output if it finds something. Just to be sure.

 

You should make sure your firewall is running with the correct configs.
And like what Koing said, run rkhunter and make sure the server is locked down.
The tmp folder should also be locked down. chown and chmod it so that only the service has access.
All of these will prevent tmp incorrect usage.

 

Those 5 files belong to apache user. So, I suppose there is a security issue on one of my sites. My firewall is ok, but I cannot close http port. I have to find the corrupted php page and I don't know how because I have more than 50.000 php files. Rkhunter and chkrootkit could not find anything.

Is there a way to know the php source of each tmp file created? That would be great.

EDIT: I have just discovered the way to have a different upload_tmp_dir for each domain by adding to vhost.conf file one line to each domain. I'm sure this will help me.