Noticed a couple of strange things this morning when i flipped on my monitor, and I wonder if anyone can help me sort them out.

First of all, at the runlevel 3 login prompt, instead of seeing my normal blank

hostname login:

I saw this:

hostname login: e100:eth0 NIC Link is Down
e100: eth0 NIC Link is Up (speed)
e100: eth0 NIC Link is Down
e100: eth0 NIC Link is Up (speed)

The link went down overnight as I slept (no time given in any log that I could find) and for some reason the information just output to the login prompt? Weird, but not terribly worrisome... yet.

So I ran rkhunter. Everything looked fine until this:

Checking loaded kernel mods Warning! (found difference in output)

I did add a module recently, so that probably explains that.

But then I checked my security log and saw the strangest thing ever:

xscreensaver FAILED LOGIN

at 2:32, when I was sound asleep and the machine was running at rl 3...

Anybody have any idea what the xscreensaver login attempt is all about?

Nobody has any idea about this xscreensaver failed login? Now I'm getting a little worried.

Unless someone was able to establish a remote X session, then the failed xscreensaver login had to be local. Check the output of last -i for login times that occurred overnight. What does the rkhunter logfile show as the module discrepency?

last -i doesn't show any unusual activity. rkhunter didn't give specific info about the mod, just that something had changed, and it probably had to do with some tinkering with mysql. When I ran rkhunter again today, it didn't show anything wrong. Pretty sure I inserted a new mod since last time I ran rkhunter. Not worried about it.

I don't think anybody could establish a remote xsession unless they could figure out a way to do it through... well, let's not give them any ideas.

But as long as we're on the subject of security. This morning at 4:17, I got an email from winvn@news.ksc.nasa.gov

Subject: Hello,info,japanese girl VS playboy

Message: Content-Type: application/octet-stream;
name=jill stack@fastclick[1].txt
Content-Transfer-Encoding: base64Content-ID: <ZwF6s9780575W39tY94>cGx1dG8KNzM2MzgzMzI4fDB8ZTE0YTI5MmEtM
Tg5NC00YTUzLWE2ZmEtOTliM2IyMjk1YmM3fApmYXN0Y2xpY2submV0Lw
oxMDI0CjM4OTcwNzIzODQKMjk4Mzg5MjEKNDA3NDg2NTgwOAoyOTcxMT
k3NwoqCj==

What the hell is that all about?

I don't think anybody could establish a remote xsession unless they could figure out a way to do it through... well, let's not give them any ideas.
It's possible (but not likely) that someone could establish a remote desktop session by connecting to your local X server, but you should see a remote login. Plus if you are normally in runlevel three, then someone would first have to remotely log into the box using some other method, then fire up X and then establish the remote desktop session (all of which is pretty unlikely). What's odd is that a failed xscreensaver login should only be possible in a desktop session, but from everything you've described it doesn't seem possible. Might want to add an iptables rule logging any incoming or outgoing X traffic.

What the hell is that all about?
Given that all I get in my inbox anymore is pr0n spam or a virus, I'd say it's one of those (Actually it's klez).