Hi, I have reason to believe that my security was recently compromised. THe following is from "last"

[root@halo ~]# last
root pts/1 c-24-22-148-xx.h Fri Jul 21 12:02 still logged in
root tty1 Fri Jul 21 12:01 still logged in
root pts/0 c-24-22-148-xx.h Fri Jul 21 11:42 - 12:04 (00:22)
reboot system boot 2.6.10-1.741_FC3 Fri Jul 21 11:40 (00:51)
root pts/0 c-24-22-148-xx.h Fri Jul 21 10:21 - down (01:16)
root pts/0 200.99.2.196 Fri Jul 21 05:41 - 05:48 (00:06)
root pts/2 acb52aef.ipt.aol Thu Jul 20 22:49 - 22:49 (00:00)
root pts/1 acb25e05.ipt.aol Thu Jul 20 22:29 - 00:53 (02:23)
root pts/0 acb37f3c.ipt.aol Thu Jul 20 22:10 - 00:35 (02:25)
bercea pts/0 89.32.130.43 Wed Jul 19 13:10 - 20:19 (07:09)
bercea pts/0 89.32.130.43 Wed Jul 19 11:57 - 12:51 (00:54)
bercea pts/0 89.32.130.43 Wed Jul 19 03:57 - 03:58 (00:00)
bercea pts/0 89.32.130.43 Tue Jul 18 23:48 - 02:00 (02:11)
root pts/1 c-24-22-148-xx.h Tue Jul 18 11:09 - 11:10 (00:00)
bercea pts/0 89.32.130.43 Tue Jul 18 05:26 - 11:24 (05:57)
root pts/0 c-24-22-148-xx.h Mon Jul 17 16:22 - 17:01 (00:39)
root pts/0 ac9eff5a.ipt.aol Sat Jul 15 10:36 - 10:37 (00:01)
bercea pts/0 89.32.130.43 Sat Jul 15 02:49 - 02:50 (00:00)
root pts/0 89.32.130.43 Fri Jul 14 14:35 - 14:37 (00:02)
root pts/0 89.32.130.43 Thu Jul 13 22:04 - 22:04 (00:00)
root pts/0 211.176.61.119 Thu Jul 13 21:49 - 21:50 (00:00)
root pts/0 c-24-22-148-xx.h Thu Jul 13 00:11 - 00:30 (00:19)
root pts/0 10.10.10.3 Wed Jul 12 12:07 - 12:08 (00:00)
root pts/0 c-24-22-148-xx.h Fri Jul 7 11:50 - 13:21 (01:30)
root tty1 Wed Jul 5 12:28 - down (15+23:08)


the connections from c-24-22-148-xx.h are me. The bercea is not nor are the aol connections. I removed the bercea account and I also changed the root password. Here are my problems now faced...


ps, netstat, pico and who knows what other commands are not available. I rsynced them from another server but I cannot connect to the internet from any machine on the network.

ping works, ssh works, ftp works, smtp,pop3,imap etc all work so those ports are allowing through traffic (both ways incedentally) I can connect to the webserver on this machine from itself and from all other machines on the network but absolutely no machine will connect to any other site on the outside and no outside machine will connect to this one on port 80.

how do i find out why port 80 is broken???

After your system is compromised you don't know which executables are yours. Unplug it from the Net, copy all your important data (which may be broken, btw, so also check backup...; it may be a good idea to compare with a number of backups). Reinstall. Period.

Put it online only after you have all patches installed and after checking the configuration.

I know it requires much time, but you don't seem to have another option.