Gregory P. Ennis wrote: > P.S. I found the following entry in my error_log of /var/log/httpd/ : > > [Sun Aug 16 04:26:19 2009] [info] Server built: Jul 14 2009 06:02:39 > --00:21:14-- http://code.go.ro/paypal.com.tar > Resolving code.go.ro... 81.196.20.134 > Connecting to code.go.ro|81.196.20.134|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 645120 (630K) [application/x-tar] > Saving to: `paypal.com.tar' > .... looks like they spoofed something on your server, probably some kinda sloppy php, into running wget. I'd take a look at the access_log around the same timestamp to see if there any hints as to how they did this. http://xkcd.com/327/