[jim at host210 jim]$ su Password: [root at host210 jim]# ps -ef PID TTY STAT TIME COMMAND 545 1 S 0:00 login -- root 607 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ 608 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ 609 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ 610 5 S 0:00 /sbin/mingetty tty5 HOME=/ TERM=linux BOOT_IMAGE=linux AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ 611 6 S 0:00 /sbin/mingetty tty6 HOME=/ TERM=linux BOOT_IMAGE=linux AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ Wierd! When I ran the following command ( ps -aux ) the first time, I noticed the commands referenced above (FTP and PING) even after rebooting the machine twice. [root at host210 jim]# ps -aux USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND nobody 497 0.1 3.2 43724 8504 ? S 02:07 0:01 httpd -DSSL nobody 498 0.0 2.7 42528 7000 ? S 02:07 0:00 httpd -DSSL nobody 499 0.1 3.4 44192 8900 ? S 02:07 0:01 httpd -DSSL nobody 500 0.2 3.2 43720 8500 ? S 02:07 0:03 httpd -DSSL nobody 501 0.0 2.7 42528 7000 ? S 02:07 0:00 httpd -DSSL nobody 502 0.0 3.2 43596 8332 ? S 02:07 0:01 httpd -DSSL nobody 503 0.1 3.5 44528 9248 ? S 02:07 0:01 httpd -DSSL nobody 504 0.0 2.7 42528 6996 ? S 02:07 0:00 httpd -DSSL nobody 789 0.0 2.7 42528 6992 ? S 02:20 0:00 httpd -DSSL root 1 0.2 0.1 1104 460 ? S 02:06 0:03 init [3] root 3 0.0 0.0 0 0 ? SW 02:06 0:00 (kupdate) root 4 0.0 0.0 0 0 ? SW 02:06 0:00 (kpiod) root 6 0.0 0.0 0 0 ? SW< 02:06 0:00 (mdrecoveryd) root 342 0.0 0.2 1304 600 ? S 02:06 0:00 crond root 358 0.0 0.1 1120 480 ? S 02:06 0:00 inetd root 374 0.0 0.5 2272 1480 ? S 02:07 0:00 named root 435 0.6 2.6 42412 6788 ? S 02:07 0:07 httpd -DSSL root 545 0.0 0.4 2196 1148 1 S 02:08 0:00 login -- root root 607 0.0 0.1 1076 384 2 S 02:08 0:00 /sbin/mingetty tty2 root 608 0.0 0.1 1076 384 3 S 02:08 0:00 /sbin/mingetty tty3 root 609 0.0 0.1 1076 384 4 S 02:08 0:00 /sbin/mingetty tty4 root 610 0.0 0.1 1076 384 5 S 02:08 0:00 /sbin/mingetty tty5 root 611 0.0 0.1 1076 384 6 S 02:08 0:00 /sbin/mingetty tty6 [root at host210 jim]# --- I started looking at recently modified files (this is the key to tracking this problem down, I believe) and noticed the following few files. --- [root at host210 /etc]# more mtab /dev/hda8 / ext2 rw 0 0 none /proc proc rw 0 0 /dev/hda1 /boot ext2 rw 0 0 /dev/hda6 /home ext2 rw 0 0 /dev/hda5 /usr ext2 rw 0 0 /dev/hda7 /var ext2 rw 0 0 /dev/hdb1 /www ext2 rw 0 0 none /dev/pts devpts rw,gid=5,mode=620 0 0 *** Is this line weird? [root at host210 /etc]# more ftpaccess #class all real,guest,anonymous * email root at localhost loginfails 5 readme README* login readme README* cwd=* message /welcome.msg login message .message cwd=* compress yes real tar yes real chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous log transfers real,anonymous inbound,outbound shutdown /etc/shutmsg passwd-check rfc822 warn tar no guest,anonymous compress no guest,anonymous chmod yes real delete yes real overwrite yes real rename yes real --- When I found the following: /usr/bin/sourcemask on the last line of my /etc/rc.d/rc.sysinit I did a google search for it and found two (non-english) references at google.com. Translated, from French, the first is: http://translate.google.com/translate?hl=en&sl=fr&u=http://www.up.univ-mrs.f r/wcri/d_serv/d_reseau/d_cert/certmsgSTAT013&prev=/search%3Fq%3D/usr/bin/sou rcemask%26hl%3Den It's related to a known exploit in RedHat 6.1. Obviously, I'm reinstalling this machine tonight (with RedHat 7.2 - beta, I guess) and installing Bastille, PortSentry and Logcheck (I guess RedHat 7.2 has a logwatcher app built-in) before I even connect it to the net!!! I basically backed up /etc and /home (including an "installs" directory) to my Winders box. Hopefully this helps quite a bit. Could be a long night... Jim "BleedPurpleGuy" Herrick