hi all! my server is used to send spam with a php script run from /tmp and /dev/shm it is started in the morning by downloading a sendpX.tgz file (where X is a number, shown by the proxy server), then extracted and run to send >20k of mails to mostly italian recipients any idea where to start to find out where the server is exploited? and what script/process triggers this download? ive shutdown the mail/webserver for now due the fact its a backup, so i have time to investigate! thanks for you reply!