Prevent RL Injection attacks

RL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.

What can we do?
Check the server for suspicious files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox, /var/spool/squid, and /var/spool/cron
You should use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.

# ps -efl or # ps -auwx
to find suspicious processes. Verify Apache processes.

Clam Anti-virus can also be used to find commonly used PHP and Perl-based hacks, including various php shells, on a server using the “--infected” and “--recursive” options.
Use clamscan command
Also check root kit detection tools:

Read our security articles.