Hi, On Sat, Jun 13, 2009 at 03:19, Linux Advocate<linuxhousedn at yahoo.com> wrote: > i'm looking for it bro...the machine is disconnected frm the net but > i have not formatted it yet... i really need to know how it happened.... I suggest you start by looking at Apache's logs, look for very strange URLs hat have nothing to do with the applications you have there, like .exe files (IIS attacks) or other .cgi or .php files that will give you 404 errors. Also look for things in the error_log file. And then look for other accesses from the same IP (assuming it's always from the same IP) to files that do exist, this will probably lead you to what was used to break in. Continue the investigation from there. Also, you can use "stat /dev/shm/unix" to find the "ctime" of that directory, or look into the modification time of "/dev/shm" to try to figure out when "/dev/shm/unix" directory was created, then you can look for accesses at that time in your Apache logs to figure out which script was used for the break in. Usually script kiddies will run a series of attacks on your machine, which will generate logs with errors. Unless the attacker got root access (which apparently he did not, as he was running his program as user apache) he would not be able to delete logs, so the evidence should still be there. HTH, Filipe