Since this was your puppet server, you might also want to check to see if the intrusion has spread to your other machines, it's possible the attacker didn't notice or that the attack was fully automated, but you should read through the puppet configs and see if there are any commands being distributed to the other machines that you didn't put there. You don't want to play whack-a-mole chasing this out of your system, you want to get it all in one shot. — Mark Tinberg mark.tinberg at wisc.edu