It looks like somebody came from khufu, got in as tim, then changed to root using sudo. Tim is in /etc/sudoers. Dec 1 19:41:18 nebka sshd[3389]: Accepted keyboard-interactive/pam for tim from 129.3.20.41 port 35641 ssh2 That's khufu. But I can't see how he got into khufu. Dec 1 19:41:18 nebka sshd[3389]: pam_unix(sshd:session): session opened for user tim by (uid=0) Dec 1 19:45:01 nebka CRON[3812]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 1 19:45:01 nebka CRON[3812]: pam_unix(cron:session): session closed for user root Dec 1 19:46:01 nebka CRON[4269]: pam_unix(cron:session): session opened for user aras by (uid=0) Dec 1 19:46:29 nebka sshd[4294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=informatika.brkk.hu user=root Dec 1 19:46:31 nebka sshd[4292]: error: PAM: Authentication failure for root from informatika.brkk.hu Dec 1 19:48:17 nebka CRON[4269]: pam_unix(cron:session): session closed for user aras Dec 1 19:49:16 nebka su[4369]: pam_unix(su:auth): authentication failure; logname=tim uid=1001 euid=0 tty=pts/1 ruser=tim rhost= user=aras Dec 1 19:49:19 nebka su[4369]: pam_authenticate: Authentication failure Dec 1 19:49:19 nebka su[4369]: FAILED su for aras by tim Dec 1 19:49:19 nebka su[4369]: - pts/1 tim:aras Dec 1 19:49:24 nebka su[4371]: pam_unix(su:auth): authentication failure; logname=tim uid=1001 euid=0 tty=pts/1 ruser=tim rhost= user=root Dec 1 19:49:27 nebka su[4371]: pam_authenticate: Authentication failure Dec 1 19:49:27 nebka su[4371]: FAILED su for root by tim Dec 1 19:49:27 nebka su[4371]: - pts/1 tim:root Dec 1 19:49:35 nebka sudo: tim : TTY=pts/1 ; PWD=/home/aras ; USER=root ; COMMAND=/bin/su - Dec 1 19:49:36 nebka su[4373]: Successful su for root by root Dec 1 19:49:36 nebka su[4373]: + pts/1 root:root I removed the user tim. I can't find a rootkit. Cheers, Thomas Krichel http://openlib.org/home/krichel http://authorclaim.org/profile/pkr1 skype: thomaskrichel