Just to add to that, look at roots bash_history file for any odd activity and take a close look at the output of the "last" command for any logins that look abnormal. It's probably a good idea to run rkhunter or chkrootkit on the system and verify the integrity of binaries with rpm -Va . You should also look around the filesystem for any abnormal files/dirs, especially in places like /tmp.
If the system in question is running RH 7.3, how have you been keeping it updated with securty patches?
Last edited by Capt_Caveman; 10-13-2005 at 04:21 PM.