Thanks for the quick reply THEJRC!!!

If I could, I would pull the plug on it, but it is a dedicated box at a "major hosting" place, and when I called them RE: this, they said they would have their SAs look at it... Then when I called them back again, they were like "Didn't we just tell you that we'd have our SAs take a look at it? They should be in in the morning..."... I'm pretty sure that if I took it down myself, they'd react by rebooting it... The night crew isn't exactly on the ball...

Now I just noticed all my /bin files are now dated today... Great... ps, netstat, everything running cracked...

I guess I'm learning the hard way what preventative steps I _should_ have taken to reduce the chances of being in this position... Now I just have 5 bajillion PHP scripts to wade through looking for alterations...

Reminds me of when I got CIH virus a few years ago... Never really had need to be concerned about viruses... Your future actions are usually based upon what's happened in the past... I sure as hell am going to do everything I can to prevent this from happening again... There probably aren't too many people interested in intrusion prevention who didn't get into it by being cracked... Am I right??? Well, maybe not...

Lot to learn, lot to learn... TripWire=Good, FTP services=BAD... Much to go...

Thanks...

James...