I have two RH7.0 and two RH7.3 servers ... it appears that between 5-6am Tuesday both the 7.0 servers were hacked - identically. They are on the same ISP and often their firewalls pick up the same scans and probes. I'm no expert, but this is what I think happened. The first clue was that I couldn't log in through ssh - got the message "The program does not understand the servers's version of the protocol" Looking at /var/log/secure I saw: 10/22 5:34 xinetd fail ftp libwrap from 195.157.17.177 then two fails from 127.0.0.1 I'm running an unpatched wu-ftpd (which I'm sure didn't help me) but the host.allow/deny were set to only allow ftp from the internal network and one specified outside IP# 10/22 5:48 (twice) xinetd start pop3 pid=10804 from 127.0.0.1 [not me-sleeping] 10/22 6:09 Listener created on port 22 Daemon is running Some poking around showed in /etc/ssh sshd (which should have been approx 200K was 2,621,812 and dated 10/22, so probably a trojan? ssh_host_key, ssh_host_key_pub, ssh_random_seed, sshd_config all had 10/22 modified dates My web server also was not running (or at least serving local pages) I accidently rebooted, the web server came back, but ssh did not. Later I attempted to delete and reinstall sshd. rpm said it couldn't uninstall because it wasn't there, and couldn't install because it was there. I think it finally installed with --force, and sshd was about 186K, but the symptoms were the same It turns out that ftp is also now not operational from the internal network. There is a message about xinetd/ftp in the startup, but its probably not important at this point After the reboot, ps -ax listed: 1811 D /sbin/modprobe -s -k block-major 7 [which I could not kill] Obviously, I'm going to have to wipe the server (plan to offload a few .conf and mail config files, firewall script and leave /var/www - should that be safe?) and will probably load RH7.3 and patches. Any comments on what happened, or on rebuilding? The hard drive is partitioned (a) / (b) /home (c) /var - and /home has only mail files. If I format (a) and delete some (which?) directories on /var, should I be ok? Would prefer not to rebuild the /var/www directories if possible. With ftp and ssh both down, my only way to offload is to floppies? Boy, I miss not having ssh access! Dick