Hi Istvan, Sorry to hear about your problems ... off the bat, I'd look at Samba as a possible route the hacker(s) used to compromise your server (have you been using YOU to maintain your patch levels?) All I can suggest at this point is taking the server off-line, replacing the hard drive(s) [if you want to try and do an analysis of the hack later] and building a new server using SuSE 8.1 if possible - be VERY careful about transferring ANYTHING from the compromised server to the new server as these guys no doubt have installed a rootkit and trojanised other files on the system. Try to re-install web sites, etc from known good backups or other trusted sources. There is an open source tool out there call the Coronors toolkit which you can use to investigate the hacked platform but whether you want to take the time and trouble is up to you. Hope this is of some help. Regards, Michael