been given the rules I will obey them.
"Well, you have the PID of the suspicious connections to irc server (you can connect to the listed IPs using telnet to see they are really running an ircd) and locate where they are coming from, who owns these PIDs. I would worry for these connections. Although you gave too less information to be serious about what it means. So you didn't say whether you have users on the host in question which could use specific programs. At least bash to irc servers seem very uncommon to me."
I do not have users on the system which are at all capable of something like this. This server runs sendmail, httpd,
named, ftp, mysql (not accessible from outside yet), pop3, squrrelmail (dovecot imap).
I will start by looking at all those for recent security postings. Since the program in /tmp was owned by apache:apache I would
imagine that the intruder used httpd to preform their exploit. That is where I'm at so far.
Thank you for all your help.
-cs
