I tried to login to my system via the console or tlenet and get "/usr/tux/backup/login: Bad Address"

I couldn't login as root or anyone else for that matter even though my web server was working fine.

I noticed that the ls command now had a permission of 700 and it appeared that ps might have been touched.

Please help.

Could be the "tux" or "optic" rootkit. Unfortunately chkrootkit doesn't recognize these yet, and so you're definately in limbo here, I don't have string samples for you to check for positive match, but messages on the securityfocus list mention the binaries are pointing to a dir /dev/tux. If it's there, wtmp has been deleted, /var/log/messages is scrubbed for connection entries, and you've got files like /usr/bin/xchk and /usr/bin/xsf I'd say it's a positive match.

Soz, but I can't break the news any other way. Disconnect the box from the net, save your *human readable data* (NO BINARIES), wipe the partition(s) clean and reinstall.

Head over to cert.org and sans.org for the *nix security checklist and "best practices" docs, over to linuxdoc.org for "Optimizing Securing Linux", add a file integrity checker like Aide, Tripwire or Samhain, install intrusion detection capability like Snort, tighten your firewall rules. Go back to cert.org and sans.org, read up on the docs again and come back to answer more questions, it's what we're here for.

Good luck!

I am proceding with the UNIX Security Checklist v2.0 - The Essentials from cert.org.

Being I have to start basically from scratch.. I originally had RedHat 6.1 on the machine with no updates or patches.

What should I put on the machine at this point? It will basically be an Apache web server.