I appreciate you taking the time to view the post.
And not having root comprimised was such a relief to see you say!
I have already upgraded to RH7.1 (Seawolf). The one message I didnt post from my log file is as follows:
(this entry was made 30 seconds before the LPRng exploit started happening, would you consider this a likely candidate for the source?)
Apr 30 03:30:03 linux named: Lame server on '18.104.22.168.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [22.214.171.124].53 'NS2.VALUEWEB.NET'
Again thanks for your time!