..or am I being paranoid. Hi People. I run SuSE 6.3 on one box, and Mandrake 7 on another. This incident occured on my Mandrake. I sent a HUP sig to inetd, so I don't know if this is the cause of it - I also created a new user (users group) just before. And for some reason, printing from this box, to my SuSE server produced a segmentation fault (in the lpd spool logs on SuSE server). Don't know if its related... In addition, root received mail on Mandrake (after this incident), with security warning subjects (I hardly ever check root's mail - there was mail from a month ago, at the exact same time, of a similar problem..) I only checked the logs after experiencing(hearing) extremely heavy disk activity. Any help greatly appreciated. /var/log/messages: Mar 8 00:03:10 jo300 : Security Warning: Change in Suid Root files found Mar 8 00:03:10 jo300 : - Added suid root files : /bin/mount Mar 8 00:03:10 jo300 : - Added suid root files : /bin/ping Mar 8 00:03:10 jo300 : - Added suid root files : /bin/su Mar 8 00:03:10 jo300 : - Added suid root files : /bin/umount Mar 8 00:03:10 jo300 : - Added suid root files : /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:03:10 jo300 : - Added suid root files : /sbin/pwdb_chkpwd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/X11R6/bin/Xwrapper Mar 8 00:03:10 jo300 : - Added suid root files : /usr/X11R6/bin/imwheel-solo Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/at Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chage Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chfn Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chsh Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/crontab Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/dos Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/gpasswd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/kppp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lpq Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lpr Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lprm Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/newgrp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/passwd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/procmail Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rcp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rlogin Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rsh Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/sperl5.00503 Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/ssh1 Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/suidperl Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/urpmi Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/vboxbeep Mar 8 00:03:10 jo300 : - Added suid root files : /usr/libexec/pt_chown Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/sendmail Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/suexec Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/traceroute Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/userhelper Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/usernetctl Mar 8 00:03:10 jo300 : Mar 8 00:03:10 jo300 : Security Warning: Change in World Writeable Files found Mar 8 00:03:10 jo300 : - Added writables files : /home/antivir/INSTALL.DAT Mar 8 00:03:10 jo300 : - Added writables files : /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:03:10 jo300 : Mar 8 00:03:10 jo300 : Security Warning: the following files aren't owned by an user : Mar 8 00:03:10 jo300 : - Removed un-owned files : /home/w3mir-1.0.8 Mar 8 00:03:10 jo300 : - Removed un-owned files : /home/w3mir-1.0.8/Artistic and around 8000 other 'un-owned files' were listsed, and removed.. (including many files in /usr/local/mysql, /usr/local/httpd and /usr/local/src - and yes, the kernel soures as well..) Mar 8 00:06:02 jo300 : Mar 8 00:06:02 jo300 : Security Warning: There is modifications for port listening on your machine Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:7101 *:* LISTEN 6104/xfstt Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:982 *:* LISTEN 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:977 *:* LISTEN 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:mysql *:* LISTEN 2509/ Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:printer *:* LISTEN 1481/lpd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:www *:* LISTEN 743/httpd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:996 *:* LISTEN 393/ Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:980 *:* 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:975 *:* 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:994 *:* 393/ Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:948 *:* 347/ Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:6000 *:* LISTEN 572/X Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:7101 *:* LISTEN 469/xfstt Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:996 *:* LISTEN 393/rpc.statd Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:964 *:* LISTEN 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:959 *:* LISTEN 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:994 *:* 393/rpc.statd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:962 *:* 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:957 *:* 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:948 *:* 347/rpc.rquotad Mar 8 00:06:10 jo300 : Mar 8 00:06:10 jo300 : Security Warning: World Writeable files found : Mar 8 00:06:10 jo300 : - /home/antivir/INSTALL.DAT Mar 8 00:06:10 jo300 : - /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:06:10 jo300 : - /usr/share/apps/kpacman/highScore Mar 8 00:06:10 jo300 : - /var/lib/linpopup/messages.dat Mar 8 00:06:10 jo300 : - /var/lib/texmf/ls-R Mar 8 00:06:10 jo300 : Mar 8 00:06:10 jo300 : Security Warning: these home directory should not be owned by someone else or writeable : Mar 8 00:06:10 jo300 : user=mysqladmin : home directory is owned by mysqladm. Regards, Jason. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/