> B .Can i conclude that the attacker came through the horde framework ( cmdshell.php) ? The horde framework was installed from the centos repo.....!!! > C. BUT THE WORST THING OF ALL IS THESE LINES BELOW.... > <snip> > 14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224] To answer B & C, I'm reasonably certain that the answer to both is Yes. I got curious so I downloaded the file at: http://mv.do.am/unix.tgz into a secured area of my computer. I was surprised the hacker hasn't moved on but it contains the files you identified sitting in /dev/shm/unix. It looks to me like the hacker exploited a weakness in horde's cmdshell.php to upload the file "unix.tgz" to /dev/shm, then unpacked it and off he/she went. Going forward I would recommend, after doing a wipe & reinstall, investigate putting Apache into a chroot jail and hardening php using suhosin/hardened-php or the like. The jail will will limit the damage a hacker can do when they break in, and Suhosin will make it harder for them to do so. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie