Hallo Dieter, thank you for your answer. I have had a look to different things and found in /boot/grub/ : -rw-r--r-- 1 root root 103434 Feb 19 17:38 stage2 a file from Feb 19 and in /boot/ -rw-r--r-- 1 root root 512 Feb 19 14:24 backup_mbr On Februar 15 I did install the server (SuSE 9.0) on new disks. In the following days I have make many installations, but I have no documentation about our activity on the 19th. But we had a mistake in grub/menu.lst associated with a disk "hdX" (hde or hdc was mispelled as h0 or something like this). May be, that the file "/dev/h" was created in this context by the boot-process. May also be a result of a unsuccessful test with lilo by my trainee. I did run chkrootkit and do some other checks. I cannot find a rootkit at all. I think too, if a hacker had attack the server, he would eliminate ALL entries in authd.log and message.log. So I will be alert next time, watch tcp-connection and have a look for unknown rootkits. Hackers going on to make the internet unusable. Manfred