>> Look in /var/tmp - anything there called aVe or uselib24 or bots.txt? >> Also, look in your /var/log/httpd area for anything weird in access_log >> or error_log. > > Yes, I did have a couple of PERL programs in /var/tmp. One was called > https and it is attached. > As far as I understand this vulnerability it is limited to the user > Apache is run by correct? Well, sort of. Once someone has put something on your system that you didn't give them permission to, it's their box. Period. So even though they might have uploaded something as a non-privileged users, it's not too far to them rooting your system. Back up your data, rebuild, and restore data. It sucks, but it's really the best idea. Thomas