Hello Nick, I hop you don't mind a few pointers on this based on my experience of hacked sites: When listing directories, use 'ls -alct' to show hidden files as well, and the ctime rather than the mtime - mtime is trivial to falsify. When using 'ps', compare the process names with those given by running (as root) 'lsof -p <processnum>' where <processnum> is the number of the suspect process. The entries with 'txt' and 'cwd' in the fourth column will let you see the files connected to the process, which can be useful if a process is spoofing its name or the file that was run was deleted by the process to try to cover its tracks. Entries with 'IPv4' in the fifth column will show any network connections that processes have opened up (visible on their own using 'lsof -i') in case the bot is trying to call home. Regards, Geoff