My replies below.... i m just so down in the dumps now....aaahhhhh ----- Original Message ---- > From: Neil Aggarwal <neil at JAMMConsulting.com> > To: CentOS mailing list <centos at centos.org> > Sent: Wednesday, June 3, 2009 1:38:05 PM > Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... > > The original poster stated he did know how what > the process was. He stated he believed the machine > was being attacked. He asked for advice from the > community on how to handle the situation. yes. this was and is still my understanding. This was what 'top' showed... PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack 23479 apache 15 0 964 556 472 S 0.7 0.0 0:01.94 atack 22170 apache 15 0 964 560 472 S 0.3 0.0 0:05.23 atack 22375 apache 15 0 964 560 472 S 0.3 0.0 0:04.21 atack 22858 apache 15 0 964 560 472 S 0.3 0.0 0:02.87 atack 'ps -ef' showed apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100 apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100 apache 24292 23378 0 11:00 ? 00:00:01 ./atack 100 apache 24335 23378 0 11:01 ? 00:00:00 ./atack 100 > The original poster's statments imply it was not put > there by an authorized user. yes , no one but me has access to the machine. > Someone does not just > casually assume a machine has been hacked. They > have a reason for suspecting it. Applications running; 1 - horde groupware webmail edition, just the framework though. 2 - phpmyadmin 3 - postfixadmin 4 - postfix 5 - dovecot 6. fail2ban 7. monit 2 -> 7 i installed from the repos. The centos box was running 5.2 when i first noticed the 'slowness'. i then updated to 5.3 hoping that the problem would go away. i am not worried abt reinstalling ( i loathe doing it ) but my worry here ( as some of you have accurately pointed out ) is that the 'issue' will repeat again bcos i just downt know what happened. I m just surprised that a centos box was compromised. The box is unplugged now. Any more ideas? Regards, Maco.