Hello all, many thanks for the hints. Upon your suggestion I went through the logs, and did find some peculiar things. I'm not completely certain the machine has been compromised, though: - I have two machines connected to the internet through a cable modem router - one of the machines had a sshd running, which I used to access it from the outside. - over the ccourse of one week, this machine suffered a series of password/user attacks (it looks like someone tried to use some program to gain access) - the auth.log recorded the following lines on a day the second machine (which had the files with owner 32) stayed on ininterruptly, without my supervision (a very poor one, anyway): Jul 8 06:25:04 abafado su[24024]: + ??? root:nobody Jul 8 06:25:04 abafado su[24024]: (pam_unix) session opened for user nobody by (uid=0) Jul 8 06:25:04 abafado su[24024]: (pam_unix) session closed for user nobody Jul 8 06:25:04 abafado su[24026]: + ??? root:nobody Jul 8 06:25:04 abafado su[24026]: (pam_unix) session opened for user nobody by (uid=0) Jul 8 06:25:04 abafado su[24026]: (pam_unix) session closed for user nobody Jul 8 06:25:04 abafado su[24028]: + ??? root:nobody Jul 8 06:25:04 abafado su[24028]: (pam_unix) session opened for user nobody by (uid=0) Jul 8 06:27:18 abafado su[24028]: (pam_unix) session closed for user nobody I'm still learning the ropes, and sys-forensics is not that easy.. Also, a post on my corrupted, ownerid=32 TOP command, with some info about my disk health status, suggested my disk was on the verge of colapsing, with that being a possible explanation for the corruption. Now, the question is finding out which, or whether both disk corruption/machine compromised situations happened. Regards, Jose -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
