I think I have been hacked, root password has been changed

[tim.pirate]

I turn on my fedora 9 and I am browsing through files and I see that an account by the name of SirLnX, in my /home directory. My firewall is down, but it has been for a while. I also had torrent running so my IP could have been found. I can't change any system settings becuase the root password is different. Please help me, I have no about what to do.

[MikeTbob]

If you are sure the root account has been violated, you need to disconnect from the Internet immediately and you might consider re-installing Fedora from scratch.

[tim.pirate]

Are you sure? Is there anyway to fix this?

[MikeTbob]

No, I am not sure, that's why I said

If you are sure the root account has been violated

Sure you can probably fix it, but will you ever trust the machine again? Next time something acts up, will you still think you didn't fix it correctly? I would never trust this machine until I did a complete format/re-install.

[tim.pirate]

I guess you are right. I have a lot of things to backup

[GNU-Fan]

This is enough evidence that your machine has been compromised.

You have no other reasonable choice than to reset-up the system from scratch.
This should include the boot block, because the MBR was writeable to the offender too.

You should not trust any of the binaries nor any configurations files from the old system.

However, before you wipe it out, try to find out (offline!) how the intruder came in. So you can learn from it and wont repeat the same mistake. The logfiles and file dates will help you at that.

[meton_magis]

also, unless you have a specific reason to have it running, disable ssh, as that is most likely how the intruder got in ( esspecialy if your root PW is not very strong, a brute force attack can do you in easily. )

If you DO need open, then I would suggest you disable root login via ssh, and disable password authentication in favor of a keypair. This is not as convinient, as you need to have a copy of your private key any time you want to login, but it reduces the chance of an intrusion via ssh to a VERY minimal chance (unless they obtain your key somehow, it is pretty much imposible. )

Changing the port it runs on will help to, but not nearly as much as the methods described below, it will just save you from the most useless of script kiddies.

[Lakshmipathi]

My suggestions are , Disconnect from internet and Disable ssh services and change your root password. And then re-connect with net.