Well, through no one's fault but my own our file server has been compromised. It looks like the SHV5 kit. I plan a reformat/reinstall tomorrow and I was wondering if anyone had advice. I discovered that some of the coreutils had been replaced with compromised versions, so I (stupidly) downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried 'rpm --Uvh coreutils'. Should have researched that a bit, because (as root) I don't have permission to remove/rename the hacked binaries! Oops. For the time being, I've (physically) removed the server's network connection. So - the plan: 1. telinit 1 2. try to reinstall coreutils 3. telinit 3 4. rsync the last week's worth of data to another machine 5. reformat/reinstall 6. create new home dirs 7. rsync the data back - do a recursive chown/chmod 8. run rkhunter Any thoughts on this plan of attack are welcome. And of course the moral of all of this is UPDATE and DON'T RUN UNNEEDED WEB SERVICES. This happened on a FC2 server (I know ;) ), and possibly via the SWAT or phpMyAdmin web interfaces. Chris
