Thanks to web31337 and Hangdog42 for responding and excuse me for being a little tardy in replying. Fact is I've been busy moving the site to a new server and attempting to make it more secure by restricting ssh to just myself through keygen and disabling access through passwords. I also installed DenyHosts (
http://denyhosts.sourceforge.net/). It was appalling to see how quickly and how numerous the attempted attacks were.
Thanks for the link to the CERT Checklist, I'll look into that for the new server.
The distro on the old server was
Operating system CentOS Linux 5.4
Webmin version 1.500 Virtualmin version 3.75 Pro
Kernel and CPU Linux 2.6.18-128.el5 on i686
I ran ps -afxwwwe and the server responded bad syntax.
I piped the lsof output to a file which was unmanageably large - 172k
netstat output was
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 0 9486 2614/perl
tcp 0 0 0.0.0.0:225 0.0.0.0:* LISTEN 0 4896 2077/sbadm
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 27 5128 2166/mysqld
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 0 4972 2057/xinetd
tcp 0 0 66.135.53.207:53 0.0.0.0:* LISTEN 25 4608 1942/named
tcp 0 0 76.74.252.90:53 0.0.0.0:* LISTEN 25 4606 1942/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 4604 1942/named
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 26 5284 2250/postmaster
tcp 0 0 0.0.0.0:12697 0.0.0.0:* LISTEN 0 31420179 13875/perl
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 4616 1942/named
tcp 0 0 :::22 :::* LISTEN 0 133619584 5048/sshd
tcp 0 0 ::1:953 :::* LISTEN 25 4617 1942/named
tcp 0 2032 ::ffff:76.74.252.90:22 ::ffff:72.235.30.109:39301 ESTABLISHED 0 135708150 1253/sshd: XXXXXXX
udp 0 0 0.0.0.0:32768 0.0.0.0:* 25 4612 1942/named
udp 0 0 127.0.0.1:32770 127.0.0.1:32770 ESTABLISHED 26 5291 2250/postmaster
udp 0 0 0.0.0.0:10000 0.0.0.0:* 0 31420180 13875/perl
udp 0 0 0.0.0.0:20000 0.0.0.0:* 0 9487 2614/perl
udp 0 0 66.135.53.207:53 0.0.0.0:* 25 4607 1942/named
udp 0 0 76.74.252.90:53 0.0.0.0:* 25 4605 1942/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 25 4603 1942/named
udp 0 0 66.135.53.207:123 0.0.0.0:* 0 4874 2073/ntpd
udp 0 0 76.74.252.90:123 0.0.0.0:* 0 4873 2073/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 0 4872 2073/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 0 4867 2073/ntpd
udp 0 0 :::32769 :::* 25 4613 1942/named
udp 0 0 ::1:123 :::* 0 4870 2073/ntpd
udp 0 0 :::123 :::* 0 4868 2073/ntpd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 5286 2250/postmaster /tmp/.s.PGSQL.5432
unix 2 [ ACC ] STREAM LISTENING 5129 2166/mysqld /var/lib/mysql/mysql.sock
unix 13 [ ] DGRAM 4437 1891/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 4442 1875/python /var/run/audit_events
unix 2 [ ] DGRAM 1310 495/udevd @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 6717 2461/saslauthd /var/run/saslauthd/mux
unix 2 [ ] DGRAM 135708258 1284/su
unix 3 [ ] STREAM CONNECTED 135708196 1253/sshd: XXXXXXX
unix 3 [ ] STREAM CONNECTED 135708195 1255/0
unix 2 [ ] DGRAM 135708188 1253/sshd: XXXXXXX
unix 2 [ ] DGRAM 31419551 13875/perl
unix 2 [ ] DGRAM 7227380 1873/auditd
unix 2 [ ] DGRAM 6716 2461/saslauthd
unix 2 [ ] DGRAM 6581 2433/crond
unix 2 [ ] DGRAM 4859 2073/ntpd
unix 2 [ ] DGRAM 4841 2057/xinetd
unix 3 [ ] STREAM CONNECTED 4750 2018/rpc.idmapd
unix 3 [ ] STREAM CONNECTED 4749 2018/rpc.idmapd
unix 2 [ ] DGRAM 4576 1942/named
unix 2 [ ] DGRAM 4450 1894/klogd
unix 2 [ ] DGRAM 4441 1875/python
unix 3 [ ] STREAM CONNECTED 4405 1873/auditd
unix 3 [ ] STREAM CONNECTED 4404 1875/python
You probably need to know that Apache, postfix and dovecot were shut down.