Yep. It is most probably that you were hacked through PHP. Most common way of "hacking" this way, is abusing sites running PHP-Nuke, phpBB, and many other sites using "unsafe" programming techniques. If you look in the mailing archives, you can find lots of answers to this type of problems. (consider turning register_globals off, safe_mode on, using somethign like mod_security, disabling exec on tmp partitions, using chrooted vhosts, using phpsuexec, etc) Eben Goodman wrote: > I recently had an irc exploit on my server running this eggdrop relay > thing via apache. I was able to find the offending files and remove > them and the eggdrop processes went away for awhile, but now they are > back and try as I might I can't find any files that correspond to this > software. When viewing top it shows the eggdrop processes running as > apache. If I don't reboot the server for a couple days the eggdrop > apache processes start sucking up all cpu and gobbling bandwidth. > > Has anyone else dealt with this? > > thanks, > Eben > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx