found clues about a security issue in a web server

[kazabe <kazabe () gmail com>]

Hi.

In the latest week my internet connection was frozen.   After discard
ISP and routing problems, i see this process in my webserver (stored
behind my router):

www-data   20580   00   00   815    355   ?   S    07:16    6:01
./s    86.23.114.12  80

that process was using all the bandwith (the address displayed is a
remote IP, without any relationship with us).  After kill that
process, the internet service is normal again.  The router and the
webserver are running under Debian Lenny.  The web server is not
remotely accesible.  all the administration is phisically in the PC.
The webserver dont have any remote access (dont have ftp, or ssh, or
telnet.  Nothing).

I try to found that "./s" but i cant found it yet.    How can i detect
how was inyected that script?

The webserver is only to publish a website related with company
internal process (but is published to Internet, by a port forwarding
from the router).   That website use php and mysql.

What can i check to solve that security issue?

Thanks in advance.