My server was recently compromised by a c99 shell. How can I make ClamAV automatically scan each day (Just my /www folder), as well as scan all php and ftp uploads. I use proftpd and CentOS 5.3. I now believe my server was comprimised. I tested the C99 and some other scripts he's uploaded, and he found a kernel exploit (Reporting it to linux dev team). Anyway, he broke out of the openbase_dir restrictions, and got root priveledges. I believe i fixed the security hole, and disabled his account (and site). Do you think I should wipe my server?
