On Wednesday 03 January 2007 10:27, Carl Hartung wrote: <snipped; I'm replying to all who responded to my original post> Hi All, I'd forgotten I'd turned off sshd and apache2 immediately after the incident and only begun firing them up when needed. There must be an unknown mechanism affording access to the system. :-( With respect to today's tests: First, after booting back into 10.0, 'who' was working correctly. (!?) After seeing this, I didn't bother checking the status of /var/run/utmp Remote administration was still disabled in the router, it's firewall settings were still where I'd set them and my very long & complex 'Admin' names and password were still intact. I'm beginning to suspect some kind of "inside attack" is being routed through the M$ box that is sharing this connection. I saw nothing unusual with "last", "w" or "alias". The md5sum of my /usr/bin/who matched the one posted by Ken Schneider so it appears to be the 'stock' binary (thanks, Ken!) Have I missed anything? I do appreciate all the great feedback today, so thanks again! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org