one of our boxes is hacked. I cant find how they've got in, saw a funny script called: tests.pl in /tmp and deleted that. my guess is they are using FTP... if found this in /var/log/secure Jun 2 00:42:17 server1 Cp-Wrap: Pushing "32192 LIST 0 0" to '/usr/local/cpanel/bin/ftpadmin' for UID: 32192 does any one have an explanation for this? what is this, what us cp-wrap, is it a cpanel method? I have apf firewall installed on a redhat 8.0 with newest apache and cpanel. (IM me with a price for catching the hole and hacker) Thanks!