Thanks for the input. Going further on the security search though, I ran nmap on <a href="http://127.0.0.1">127.0.0.1</a> and found some open ports, some flagged as security risks and "holes" On port 10000 I found reference to PID 8923/perl running .... well, I do not know. Nessus put out screeds of information about domino databases: <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8"><title></title><meta name="GENERATOR" content="OpenOffice.org 1.1.3 (Linux)"><meta name="CREATED" content="20050808;15510100"><meta name="CHANGED" content="16010101;0"> <style>  </style> <pre style="font-family: times new roman,serif; font-style: italic;" class="western">Warning|We found the following domino databases : /log.nsf this must be considered a security risk since the server log can be retrieved /setup.nsf this must be considered a security risk since the server might be configured remotely or the current setup might be downloaded /catalog.nsf this must be considered a security risk since the list of databases in the server can be retrieved /statrep.nsf this must be considered a security risk since the reports generated by administrators can be read anoymously /names.nsf this must be considered a security risk since the users and groups in the server can be accessed anonymously, in some cases, access to the hashed passwords will be possible</pre> I searched for these files and found them nowhere on my computer. There was a reference to files on another server .... but I am using a single computer as a server, networked with a windows box which has no connection to the net. There were references to files of commercial significance - DCShop? - and so on. So I must assume there has been placed some nasty on my box, especially as the intruding box was a RH user. 1. Is this assumption correct? 2. Having shut off those ports after: # netstat -tlp # kill -9 <PID of associated process> I would like to find what has been placed (if anything) ... but after # updatedb I can find nothing untoward using # locate <name> Am I being paranoid? Brian <div>On 8/8/05, Matt Patterson <<a href="mailto:matt@v8zman.com">matt@v8zman.com</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hey Brian, I don't know a whole lot about the hardening stuff, I simply run minimal services, mostly on incorrect ports, maintain good passwords, and keep up to date. For the majority of us I think that is good for the 5 nines (99.999%) of hackers.</blockquote><div> I would have thought so until I began looking at this more seriously. Perhaps I just need mor medication? </div> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">As for your plans of hitting them back, don't bother, you would just be hitting some poor unsuspecting sap who already has the problem of a computer that is operating way too slowly with three million pop ads. Most of the breakin attempts you recieve will be from zombie machines doing automated scans of ip space.</blockquote><div> Yes. Point taken. </div> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Your best approach is to locate the root domain or isp and send a quick email with logs reporting that the computer has been compromised. The ISP will pull them from the net, and the owner will be notified.</blockquote><div> Many thanks for the feedback Brian </div> </div>