Security Breach ?

[Chris Strzelczyk]

Sorry for the long posts I didn't know if attachments were allowed or 
frowned upon.  Now that I have
been given the rules I will obey them.

"Well, you have the PID of the suspicious connections to irc server (you
can connect to the listed IPs using telnet to see they are really
running an ircd) and locate where they are coming from, who owns these
PIDs. I would worry for these connections. Although you gave too less
information to be serious about what it means. So you didn't say whether
you have users on the host in question which could use specific
programs. At least bash to irc servers seem very uncommon to me."

I do not have users on the system which are at all capable of something 
like this.  This server runs sendmail, httpd,
named, ftp, mysql (not accessible from outside yet), pop3, squrrelmail 
(dovecot imap).

I will start by looking at all those for recent security postings.  
Since the program in /tmp was owned by apache:apache I would
imagine that the intruder used httpd to preform their exploit.  That is 
where I'm at so far.

Thank you for all your help.

-cs