I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning: <code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII.. sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup sbin> </code> Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks, Jon Cosby -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org