Hi all, I was noticing some strange behavior on my server (all of the files of one of the ISPConfig's sites was suddenly deleted) so decided to look thru stuff and logs. Somebody/something deleted the auth.log. Not only that, I noticed a new user "ta" in /etc/passwd I run every rootkit check I could think of and found nothing. So I deleted the user and changed my root pass. Then installed snort, ossec, prewikka, base, etc... to make sure it won't happen again. I thought I got rid of the problem. Not really. I'm just doing a standard checkup and looking thru some files and logs. Auth.log is there, but doesn't say anything interesting. But there's something concerning in /etc/passwd. And that something points to think there's a security flaw in the ISPConfig (running the latest version). Here's the line that's giving me a headake: user91_admin:x:10130:10091::/var/www/web91:/bin/falsew0rm::2666:777:ADM Inet W0rm:/:/bin/sh I know this points to a flaw in BIND (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=UNIX_ADM.WORM.A&VSect=T), but what's strange it that I'm using the latest herdy Ubuntu repository. Could this be a problem with the ISPConfig ? chkrootkit is now showing: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed and the rkhunter: ADM Worm Can anyone comment on this?