Alfred von Campe wrote: > My home system has been hacked. It's running CentOS 4.4, and I > recently added an account to play around with Samba shares to back up > PCs here at home. I had set a weak password for that account and > forgot to disable it after my testing. I could hear the disk being > accessed constantly, so I knew something was up. I disabled the port > forwarding to my CentOS box on my Linksys router (only ports 22 and 80 > were being forwarded). if for sure only 22 and 80 were forwarded, then it wasn't Samba. There's no default account I see here on my 4.4 boxes named backup, was that something you'd created? some package you'd installed? what was on your website? any canned php scripting or whatever? re: cleanup... look very carefully for directories in odd places with . names I'd run rkhunter to see if tehre's any other well known root kits on your system.