look in the file lpd7.sh. what's in it? from your lsof file: lpd7.sh 10566 root 0r REG 3,5 207 49643 /usr/lib/lib/.backdoor also, from what's in lsof2.txt, it looks like your box is being used to portscan other hosts. you should unplug it NOW. =jay