apparently someone used the admin directory of an oscommerce install to use file_manager and upload and run error.php which turns out to be webadmin.php, and they were able to view /etc/passwd! apart from blocking the ip address, and maybe changing passwords, what real damage could they do? they now know user account names, but /etc/shadow was not accessed. there were both GET and POSTs in the httpd access logs, so I'm not sure what they did in the POSTs of course. but doing a get on view?file=/etc/passwd is obviously concerning. whats your advice??? cdb.