I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.