>meaning that they did gain root access after all but were able to hide this through a >rootkit??? > >/Håkan They tried to login as root, but according to /var/log/secure, they used a wrong password. Lateron, they probably gained root access in order to manipulate files which have write access only to root. Best regards, Daniel -- +++ GMX - die erste Adresse für Mail, Message, More +++ 10 GB Mailbox, 100 FreeSMS http://www.gmx.net/de/go/topmail