Karsten Dambekalns <[EMAIL PROTECTED]> writes: > Hi. > > On Thursday 21 July 2005 20:31, Andras Got wrote: >> The users, the ones the machines was hacked, were they existing users on >> the machine? > > I don't know which user account got hacked, if this was what has happened.
Did you check the last lock? Maybe the attacker didn't remove the traces there. Did you check if any users have their secret ssh key on your system and asked them to generate new keys? The attacker might have copied the secret key and can now log in without password. Also the attacker might have compromised one of your users systems and got an ssh key from there. So its probably best to remove all keys and generate new ones. Just some thoughts, Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]