Hi,
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Unfortunetaley, it will be hard to find out if he can connect again. Even if you have removed all his accounts, he might have installed trojaned programs like login and so forth. You might check the packages containing those files with rpm --verifiy to see if the signature is ok, or best check your installation with tripwire if you've installed it. Now, if you can bear the idea that some programs *might* be trojaned (without being sure no trojan remain but all seems ok), you can disable all connections from unstrusted IPs : just say ALL:ALL in /etc/hosts.deny and edit /etc/hosts.allow and authorize, service by service the trusted IP to connect (e.g. : in.telnetd : 192.54.67.89,....). However, if you plan to make a thorough search of what he could have done, i guess you'll spend more time doing this than backing up your users directories, re-install the system (maybe upgrade it to a SuSE 6.1) and restore the users dir. S.G. http://icps.u-strasbg.fr/~genaud