Fedora User wrote: If those files are pointing to undernet, it's quite likely that the system doesn't have a virus on it, it's been compromised via (possibly) by an unpatched security hole. What does checkrookit say? Do you have that on the box at all? I have to say your best bet is to take that system off the network so it can't communicate it with the controller and blow it away and reinstall. That's especially true if you don't have a lot of forensic experience trying to track down either the security hole or the b*stard that compromised it. As it is, it looks like the ps executable is being redirected to the one in /var/tmp and pico is (was) a vi/emacs editor that I've not used in ages and ages. Seems like they have enough control to edit root config files and do pretty much what they want. -- Libenter homines id quod volunt credunt -- Caius Julius Caesar Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415 Call (866) ERC-7110 for after hours support

On Mon, 7 Jul 2008 08:49:37 -0500, Fedora User wrote: You've got an intruder. Take the machine off the network. Create a backup for further analyzation. Don't trust the output of installed binaries like ps. Examine the installation from within a rescue mode. Also see what "chkrootkit" and "rkhunter" find. Reinstall unless you really really *really* think you can repair it. Btw, what version of Fedora is this? And what kind of service is it?