Linux Advocate wrote: > > > > > ----- Original Message ---- >> From: John R. Dennison <jrd at gerdesas.com> >> >> I stand by my previous advice - the box is compromised, can not >> be trusted, and as a responsible admin he should be working on >> re-installing it, evaluating what web-apps he had running that >> led to this in the first place and taking the appropriate steps >> to ensure it does not happen again. >> >> > > > what steps should i take. i was running centos 5.2 fully updated. the web apps or daemons i have running are from the repos. > i have other mandriva boxes and they all are ok. i m just so surprised that a centos box got compromised. There were dozens of security updates to php and related apps since the 5.2 days. You really have to keep anything exposed to the internet up to date and using secure passwords. This almost certainly isn't a 'centos' issue. Someone probably used a default password to log into one of the php apps and exploit an old bug that let them write in a place that apache would execute something. Odds are that they didn't get root and that you'd have a chance of cleaning it if you know what you are doing, but if you have to ask for advice on a mail list you probably shouldn't try. -- Les Mikesell lesmikesell at gmail.com