IM at a loss right now, so I am asking for advice. Im running Fedora Core 10 with Apache, mysql, php, perl. My email is Postfix, Dovecot. Im running a web server with aproximately 130 websites each with their own public IP. I have setup my iptables to only allow the following ports in : 21, 25, 80, 110. For my outgoing I have set ports 21, 25, 53, 80, 110. Im rejecting everything else. My system has been compromised but I have ran chkrootkit and rkhunter and it comes back with no rootkits. My log is showing requests going out on random ports above 40000. My system will come to a crawl and I look in the tmp folder and I will find a random txt file and usually a hidden folder. I am unable to figure out how they are getting in, but im guessing over port 80. any advice on what I should start checking into would be greatly appreciated.