Going off what Jim Small said, another layer can include the restriction of users at the firewall level. In addition to an inbound external firewall an internal firewall can be used for restricting outbound access. Restricting a users outbound access using ipfw\ipchains\iptables can quarintene the compromise to the infected server. Using dynamic rules like
ipfw check-state ipfw add ???? allow tcp from any to any in uid news keep-state ipfw add ???? deny all from any to any gid daemons This is kindof off subject but I hope it helps! -Erik Karulf ::am consulting:: FreeBSD Security Consulting