Tracking down source of bots with user nobody
I have a multiuser server that has apache running as nobody and bots using RFI exploits to drop php shells. The shells are being used to drop psybnc and other crap in /dev/shm, /tmp and /var/tmp (all as user nobody). Given the size of this server it's very difficult to find their php shells because the names are always different and find is too slow. I need to find what php script is creating the bots in the temporary directories. We have installed suPHP on some servers which helps to locate the users' webroots, but not always the files. They create the files and close the write streams fast enough that I can't lsof to their creator.
Any creative solutions?