hello all last night i opened my browser and to my surprize i saw an explanation instead of my home site page, i was lucky he said there- i could have distroyed all your server.. tonight i was looking through my services and to my surprize i saw there a strange login: root--liza i killed it immidiatly. i wonder if u can tell me if it was the hacker or something inside my box. any help would b appriccieted. bunduk

sure looks like it...... -Ozzy

Man! I would be very uneasy about that. Immediately change root password! Do not give it to anyone! Are you aware that if your ftp and/or telnet are configured to allow root logins, that these protocols put the password on the wire in clear? Monitor *all* of the log files in /var/log. G.

telnet and ftp r OFF here and i don't feel too much comfortable..beleve me i worked on this box for 2.5 days to make it work by the way the First hacker deleted All /var/log directory from my comp so it is hard for me to monitor ..

Verify for any unusual process in crontab and take a look to /etc/passwd and /etc/group content. What services are running? What version of linux and distro?

Change the password and Turn off the ssh port immediately. i.e. port 22!!! modify your /etc/hosts.deny to ALL:ALL

the best thing to do (safest for your system)in this scenario is to re-install and implement the highest security level when doing so. most likely if the hacker is a good hacker he or she probably installed a "root kit". when he or she did this they installed multiple backdoors in your ftp telnet, etc. even if you dont have these services running they are covered up and running in the background. once again reinstall to wipe everything out.