From: "Gabe Warren" <gabewarren@xxxxxxxxxxx> > Tomas Larsson wrote: > > >Doing a netstat on my server, I find a strange connection. > > > >It's a crond-job with Apache as owner, and it seems to go to an > >irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org", anyone > >that knows what this is?? > > > > > Do you have awstats installed? Check and see if you have any hidden > directories in /tmp. There is an awstats exploit that allows uploads as > the apache user. I found a process running as apache called init.d on > one of my servers. It too was initiaiting connections out to IRC. The > EnergyMech irc bot was uploaded and executed from the /tmp/.bin directory. > > This person has explained in detail his experience. > > http://www.angelar.com/~jeremy/computer/hacked.html > > Maybe this is what happened to you. > > gabe <Alert sarcasm>But but but - my mommy told me that Linux was secure and I did not NEED to run any anti-virus software....</Alert> {^_-}