Someone is modifying files and mysql database on vps, the first time it modified files and stopped, after from mysql, and now again files, i changed the password, an switched to kloxo-mr, but and not fixed, he can don from my php script that? [ Rootkit Hunter version 1.4.0 ] [1;33mChecking rkhunter version... [0;39m This version : 1.4.0 Latest version: 1.4.0 [ Rootkit Hunter version 1.4.0 ] [1;33mChecking rkhunter data files... [0;39m Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ] Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ] Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ] Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ] Checking file i18n/cn [38C[ [1;32mNo update [0;39m ] Checking file i18n/de [38C[ [1;32mNo update [0;39m ] Checking file i18n/en [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Warning: The file properties have changed: File: /etc/rkhunter.conf Current hash: 5a5dfd36c0278364949bdbd851ea9f4e086ac3bf Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80 Current size: 37361 Stored size: 37357 Current file modification time: 1361644930 (23-Feb-2013 21:42:10) Stored file modification time : 1360752129 (13-Feb-2013 13:42:09) Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_lxa Warning: No output found from the lsmod command or the /proc/modules file: /proc/modules output: lsmod output: Warning: The kernel modules directory '/lib/modules' is missing or empty. Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no Warning: Suspicious file types found in /dev: /dev/.udev/uevent_seqnum: ASCII text Warning: Hidden directory found: '/dev/.udev' Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk. Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.