> My question is why is this happening? Obviously it's some apache > exploit. I wouldn't jump to the conclusion that it's an Apache exploit. It's more likely to be an issue with an insecure script assuming they are even coming in through the web server. A few questions: 1) What makes you think this is an Apache issue? 2) What other services are running on the box? 3) How did you clean up after the first hack? 4) Are you sure that a user account hasn't been cracked? 5) Do you allow root logins via ssh?