1. Get insight. This is the first thing to read and do: the Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html. If unsure run from your distro's rescue CD or a Live CD like KNOPPIX, HELIX or similar.
2. Try to check at least and post info about
:
- system, daemon and firewall logs (unusual entries if any),
- auth data (users, logins),
- any IDS data (Snort, Prelude),
- running (and accessable) services and processes at the time and now,
- any setuid root files encountered,
- any audit data from running your distro's package manager in file verification mode, Chkrootkit and Rootkit Hunter,
- user shell histories (unusual entries if any).
Having as much as possible of this information is crucial because else no advice tailored to your situation can be given. Be methodical and please post *exact* messages and not descriptions of. Add anything else you think could hold a clue or might be beneficial for solving the case.