Hi, we are running suse 7.3 and apache 1.3.20 with mod_ssl Last week it happened: - webserver down - apache could not be restarted - error-log: '[crit] (98)Address already in use: make_sock: could not bind to port 443' So, lets look, what wwwrun is doing: - a 'ps aux | grep wwwrun' showed nothing - but: 'top' and 'uwwwrun' showed some processes 'eggdrop' running by user 'wwwrun' -> maybe a rootkit which replaced '/usr/bin/ps' ??? - a portscan revealed open tcp-port 6667 1. question: Does anybody know, what's the reason for that ?!? We suggested, it could by ssl-worm slapper, but it usually opens udp-ports and not tcp 6667 2. question: In Apache 1.3.27 all known security-holes are fixed. But there is no RPM for suse 7.3. There is only a package with version 1.3.20-77 So, we don't know, if in this package all that security-holes are fixed ? The same for mod_ssl / OpenSSL ? So, we don't know, when we install the latest Suse-RPM's, are we protected against the above attack?? Anybody who can answer the questions ? Thx, Thomas