Hi there, we've had a few debian/ubuntu servers hacked over the past year or so, ultimately each instance was traced to shoddy client code. Most of our servers are kept well away from third party code but some have to have it. We do what we can to secure the servers but sometimes a client says "oh we have to have this gaping php security hole otherwise my code won't work" so we put barbed wired around it and wait for those friendly indonesian chaps to hack it to pieces (seems most of our hackers are indonesian for some strange reason) anyways, I was thinking that maybe we can be more pro-active with detecting hacks, in many cases there seems to have been several days between the inital server compromise and the clients sites turning to mush. I was thinking maybe a cron job to run rkhunter and email the output, but this would mean a bunch of emails that need manually checked every day. Anyone got any suggestions for a better method?