Hi, all:

I have a server, running on Slackware 13.1, has openssh&openssl update to current.

Today I find I can not access my root account, password is not correct, I believe somebody break my security rules, nobody has account on this machine, I have LAMP running on it.

What should I do at the moment? I have cut the network down, I think I can mount disk, clear root password, but what should I do next? How to find and clear the Cracker?

Thanks!

If a system is compromised, then the right thing would be to recover data and if necessary do forensics with a forensic distro.
The system should be reinstalled after that

just a few hints (these matters cannot be dissected on every aspect in forum posts, I think, there is people working on them for years and tons of docs to read):

first, be sure you haven't simply forgotten your root password: I manage a lot of hosts and (I know it's a stupid mistake but) it happens to me once in a while.

then, if it's really compromised, nothing will resume a clear situation as a reinstall.

but, if I were you, I would have a look at the things you're running on your lamp server and the lamp setup too (if you have changed something from the defaults) to avoid a comeback of the crackers: if they broke in they most probably have done it by some bugged webapp (but they have to be really bleeding edge, as the lamp software coming with slack 13.1 is up-to-date).

Thanks for all your reply, I am trying to find what happened now, I do not know how they are in. I need to find what happened, otherwise, after I reinstall it, I can not believe it's safe again.