Matt, great idea.... I FOUND SOMETHING... pls see below... ________________________________ >From: Matt <lm7812 at gmail.com> >To: CentOS mailing list <centos at centos.org> >Sent: Thursday, June 4, 2009 4:40:57 AM >Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... >PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack >When i 'ps -ef' i can see many lines as below; >apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100 >apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100 >I good tool to have on your linux box that may help, some. >http://rkhunter.sourceforge.net/ >http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter >After installing do. >rkhunter --update >rkhunter -c >And see if it finds anything. I DID FIND SOMETHING...NOT SURE WHAT THOUGH ;) * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev --------------- Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory) The contents of the /dev/.udev folder; drwxr-xr-x 2 root root 540 Jun 8 15:41 db drwxr-xr-x 2 root root 740 Jun 8 15:41 failed -rw-r--r-- 1 root root 4 Jun 8 15:42 uevent_seqnum The contents of the ../man1/ folder ; [root at fwg man1]# ls -al :.1.gz -rw-r--r-- 1 root root 40 Jan 22 09:14 :.1.gz [root at fwgw man1]# ls -al [.1.gz -rw-r--r-- 1 root root 40 Jan 22 09:14 [.1.gz Anything out of the ordinary? ---------------------------- Scan results ---------------------------- MD5 scan Skipped <--- WHY SKIPPED ? bcos OS unknown as shown in the NOTE below? File scan Scanned files: 342 Possible infected files: 0 Application scan Vulnerable applications: 0 Scanning took 32 seconds ....................... end ......................................... NOTE: When we run rkhunter, rkhunter says the lines below...eventhough i installed frm the centos repo? but still it says its an unknown OS Rootkit Hunter 1.2.9 is running Determining OS... Unknown Warning: This operating system is not fully supported! All MD5 checks will be skipped! Anything out of the ordinary?