Hi, sorry I'm not very used with the entries in the message-log, though I can't identify, if the following lines are harmless (because the system has done something for which it uses root rights) or dangerous (because someone has hacked the box an got root rights for the user nobody) Jul 3 00:15:12 www PAM-unix2[4780]: session started for user nobody, service su Jul 3 00:16:54 www PAM-unix2[4780]: session finished for user nobody, service su The Linux-Box runs SuSE-Linux 7.2 Kernel 2.4.7 - it denies connections other from our router (i hope so) and runs apache 1.3.26, tomcat 4.0.2, php 4.0.1. Can anyone help with a hint? -- Mit freundlichem Gruß Thomas Albl Deutscher Städtetag Tel. : 0221/3771-210 FAX : 0221/3771-128 eMail: mailto:thomas.albl@staedtetag.de Web : http://www.staedtetag.de