I have one server in particular that's constantly riddled with these. These are perl scripts that are run, the original script is deleted and the process is left running under a 'false' name. For example, a ps will show these processes (all running under nobody): /usr/sbin/cron /usr/sbin/httpds executing a (deadly) killall -9 /usr/bin/perl stops all of these. I can't find anything useful in running strace, checking /proc/<pid>. strace tells me these are IRC bots. I know I can block the ports etc however I want to find the script(s) that are running these and the user to sort the problem once and for all! I've tried replacing /usr/bin/perl with a script to intercept the calls but this breaks cpanel. Any help would be gratefully received!!