[Plug-security] Once cracked

[Carl Parrish]

Okay the reason I think I've been cracked is that there is a user found 
in /etc/passwd that I've never created and is a member of the root grp. 
When I look under linuxconf this user doesn't show up. Now I'm thinking 
its "possible" that something I installed created this user. but how 
would I find that out? and why would it need to be a member of the root 
grp? I don't have telnet, sendmail, bash, or ftp running on my box. I do 
allow IRC and as far as I know that's the *only* way someone could get 
in. I'm not running IP tables like I should though. So far haven't seen 
anything malious on my machine. but you never know. Thanks for the ideas 
so far. I'll be looking them over to see if I can figure it all out. but 
if I haven't found out how they did it by the end of the day I'm just 
going to wipe it all.

Carl P.