Hi, yesterday, strange things happened but let me start form the beginning: I'm running a PC under SuSE7.3 and kernel 2.4.16(preempt-patch). openssh-2.9.9p2-74 is the only service listening to the outer world. Well, I returned home yesterday, switched on the monitor and noticed, that the network in our LAN (which itself is connected to the internet) seemed to be down. As this happens quite often, I wasn't that amazed, but when I tried to switch on kwintv via remote-control (lirc) nothing happened. A further mouse-click freezed the screen immediately, one of the harddrives became busy for approx. 15sec. I managed to reboot the computer via the magic sysrq-keys and when it was back again, there popped up an error message about the dcopserver (perhaps he didn't like it to be killed). Everything seemed to work fine, but nevertheless I was heavily puzzled! I looked into my logfiles and found out that there had not been any sign of life for the last hour i.e. no MARK, ippl, snort, xntpd entries at all! The last message was produced by fetchmail and even there everything seemed to be ok. I feared, that somebody had made it into my system and I had disturbed him while placing a rootkit, so the hd activity was due to his sudden cleanup. I looked for rootkits (chkrootkit-0.35) but found nothing of interest and posted my experiences to a newsgroup. A few hours later I found Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1 212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113) Feb 6 22:48:29 nephilim last message repeated 5 times Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125 in my syslog and became even more anxious. But I found out, that if you try to login to my box but give ssh a Ctrl-C instead of a password, exactly this message will be produced. Perhaps somebody read my posting and felt curious enough to drop in for a second. After that I changed the "Protocol" in sshd_config to 2 (was 2,1 before), even though it is said here, that this ssh-version is as secure as openssh-3.0. Additionally, I searched for directories beginning with ..* but found nothing. I did an "rpm --verify" on each installed packet and lo got e.g. for openssh S.5....T c /etc/pam.d/sshd S.5....T c /etc/ssh/ssh_config SM5....T c /etc/ssh/sshd_config .M...... /usr/bin/ssh my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values? The other packets only showed md5-failures in connection with configuration files, but there were quite a lot with M and G (see my last guess above) So what do you think what could have happened? What should be done next? How can I check, whether new users/groups were created? How can I verify files on my discs against RPMs and not against a potentially corrupted rpm-database? Could this be also explained in a way, that KDE or X had an internal problem, perhaps due to some network errors within our LAN (it does not work that perfect now) and made my system freeze? What will happen, if the dhclient does not get appropriate data form the server (or even does not find him)? Could this confuse other programs? Really confused greetings Torsten