Hello all, Ok, I admit that hackers do love our web sites and the box they are hosted in ... no it isn't so weakly secured as it may shows, we just have troubles with hackers having some astonishing know-how :( Now the case, this is an unmanaged SuSE 9.3 server ... with SUSE firewall enabled ... SSH moved to a different port than the expected one, webmin used also over HTTPS and at a non standard port ... Permited connections are only the usual for a web server ... HTTP, HTTPS, FTP, SMTP, DNS, POP3 and the above 2 "secret" ports ... all other access is blocked All patches were being applied BEFORE any service had started ... now the haxor. After a few hours of operation ... we have found the box overloaded ... anyway a restart of apache2 was more than enough to put things in place apart from the fact that no php ... only .php files sent as plain text ... Okay I have tried to reinstall the php4, without any success, still the php4 is broken, I have checked out the conf files ... do seem ok, I have tried various tricks but still php can't work ... while it seems loaded .... Our server works mostly on cgi, for it's dynamic content, so apart of the lost phpmyadmin ... no problem with the php anyway ... but it needs to be fixed. I had the same kind of attack on the same sites, a few months ago, (running on RH9.0 that time), and I had solved the problem by compiling my own edition of apache2, mod_perl, php4 from scratch ... it seems that I am going to do the same again, but I'm wondering how such a thing is possible, starting apache2 (worker mode), no conf syntax errors, no missing files (checked via rpm --verify on apache2 , apache2-mod_php4 , php4) ... it doesn't make any sense ... Anyway, that's all for now and let me know, if there's any tool to analyze the firewall logs generated by SuSE firewall (in any case something interesting would be in there) Best Regards Nick