To be honest, I'm not sure what I think about your firewall. It is obvious that you've got a pretty complex setup, and without knowing more about what services the machine is supposed to be offering and what you're trying to defend against, I'm not sure I could offer much in the way of practical analysis.

Given the amount in your FORWARD chain, I'm guessing this is acting as some sort of a router or gateway between domains. If this is true, and if we find evidence of a compromise, that could raise the troubling issue of whether or not any of the other systems sharing this network have been infected/attacked.

I'm also not sure I understand what is going on in the OUTPUT chain. It looks like you eventually accept everything heading outbound, so I'm kind of wondering why you don't just set the OUTPUT default to ACCEPT. Unless I'm missing something (always a possibility), no packets ever make it from OUTPUT to the LDROP table.

One thing I will say is that in terms of this potential compromise, I'm not sure the firewall is something to be concerned about. It is clear you have it doing a fair bit of logging, and they may be useful once we have a better picture going on. What this firewall also may do is make it a bit more of an imperative to look at existing services and see if they have been compromised. It might be a bit difficult with this firewall to set up a new service like an IRC server and have it be accessible without changing some rules.

many thanks for your advice, I will take a peak and the firewall and go through it with a fine comb.

Just out of curiosity, have you done any digging into how the root password got changed? The firewall is a secondary priority if you've been cracked.

after thinking about it very careful, I have reason to believe that it happened after several updates to were done to the server. It was immediately after the updates where complete is when I couldn't login. I checked everything possible on the system and cant find anything abnormal.I ran chrootkit and others like it without finding anything. I will reformat it here shortly to be sure but. I really think it was the updates that caused the issues.