On Thu, Apr 08, 2004 at 10:22:02PM +0200, Niels S. Eliasen wrote:
> Have taken ethernet off, done....
> Well... looks the gury have had on h... of a time... the system was  
> by-the-looks of it compromised the 22-Jan-2004... at that time the  
> accounting file got wiped... and apparently the super user has this  
> entry "Charlie &" in the comment filed and daemon has "the devil  
> himself" .....

Those are actually the default names for those accounts; nothing to
worry about there. See
http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/master.passwd?rev=1.30
for the stock password file.

Also, "passwd file is busy" doesn't necessarily mean that someone's
accessing the password file. Sometimes, the file is locked, but for
whatever reason, doesn't get unlocked. You have to manually remove the
/etc/ptmp file to fix it.

> BTW: I noticed something was wrong as I did a "top" and all of a sudden  
> "root" was doing a "make" and sure as ... it was not me!

Now that does seem suspicious.
-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 28 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++