Got it! You are right. Finally I have found a suspicious cron-job in /etc/cron.daily. Sorry for the misinformation. Seems like we had two breakins: Because the first two days, /etc/passwd was set to 0 bytes at 10:00pm, the last two days at 0:00. I try to figure out how the intruder has got in our system now. Thanks for all help, Chris :> Our server is in trouble -- and so are we -- :> :> every night at 00:00 the /etc/passwd-file is :> erased (= set to size 0) up to now we checked :> the following things: :> :> * tcpdump (... no suspicious connections) :> * log-files (... are ok) :> * cron-jobs (... no suspicious cron-jobs) :> :> the passwd-problem seems to be the only :> peculiarity -- at least we think so. : :Hmm, every night at 00:00 at my linux box starts the cron.daily. One :of it's tasks is to reduce the size of log files. The effect you :wrote is exactly equal to a log file rotate processed by :/etc/cron.daily/aaa_base. Did someone add /etc/passwd to the config :file /etc/logfiles? : :If not you can check also: :- all files in /etc/cron.daily (grep passwd /etc/cron.daily/*) :- all links to /etc/passwd (find / -lname passwd ...) and (if found) : the /etc/logfiles : :hth :Jan : : :--------------------------------------------------------------------- :To unsubscribe, e-mail: suse-security-unsubscribe@suse.com :For additional commands, e-mail: suse-security-help@suse.com : --- Anything that is good and useful is made of chocolate.