My home system has been hacked. It's running CentOS 4.4, and I recently added an account to play around with Samba shares to back up PCs here at home. I had set a weak password for that account and forgot to disable it after my testing. I could hear the disk being accessed constantly, so I knew something was up. I disabled the port forwarding to my CentOS box on my Linksys router (only ports 22 and 80 were being forwarded). After some poking around, I found the following files in the directory "/var/tmp/ /.. ": -rw-rw-r-- 1 backup backup 9468 Dec 1 00:20 azi2.seen -rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi3.seen -rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi4.seen -rwxr-xr-x 1 backup backup 504464 Feb 10 2005 -bash -rwx--x--x 1 backup backup 22936 Feb 10 2005 kswap.help -rw-r--r-- 1 backup backup 1085 Dec 1 00:00 kswap.levels -rw------- 1 backup backup 5 Nov 29 17:28 kswap.pid -rw-r--r-- 1 backup backup 1480 Dec 1 00:00 kswap.session -rw-r--r-- 1 backup backup 4731 Dec 25 2005 kswap.set -rw-r--r-- 1 backup backup 165073 Dec 1 00:26 LinkEvents -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech2.users -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech3.users -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech4.users -rw-r--r-- 1 backup backup 258 Jun 28 1999 mech.users -rwxr-xr-x 1 backup backup 174396 May 17 2004 pico Anyone recognize this root kit (if that is what it is)? I've disabled the backup account, and re-enabled port forwarding on my router (so I can access the system from home). Other than deleting these files, is there anything else I should worry about? I'd rather not re-install the OS... Alfred