On Tuesday 12 August 2008 09:08, Mr Shunz wrote: > maybe you should check with "lsof -p 3041" and see which files/pipes it > uses to have a clue. of course! <slap> it's a perl w0rm that was uploaded last night, now killed. Now to determine how it got in. I found some output in the main apache error log that looks like wget was used to download a shellbot. But I can't figure out how wget was called, may be some PHP exec() call that is unchecked. But I can't find it on the system yet or the data files it uses. chkrootkit says all is clear. mod_security is now being installed, belatedly. This server has only been up 1 week, sheesh. thanks Sam PS here is the link to the shellbot that was used, in case anyone is curious. I break up the URL to protect the innocent: http://usua<BREAK>rios.lycos.es/<BREAK>w0rms/info.txt have searched it and don't find anything special on the main security sites. Is it new?