While reading over my logwatch report this morning I found this one entry for Init:

---------------------- Init Begin -------------------------


**Unmatched Entries**
Trying to re-exec init


---------------------- Init End -------------------------

I checked out /etc/inittab for any changes, tripwire reported lots of changes, but just yesterday I used up2date on glibc and nscd and didn't reinitialize the tripwire db. So that explains the lot of them.

Also I noticed nscd added a config file under /etc/rc.d/init.d so I was wondering if its normal for either of these updates to re-exec initd or if I should be more concerned.

While digging I found someone checking an email account that shouldn't be. The person has obviously sniffed this users pass because there was no brute-force attack and now he was steadily checking the POP3 box. So I went ahead and changed the users pass and added the host to iptables.

Is there anything I should do? Did I look in the right places?

Thanks

Oh yeah, I'm going to send logs to the hostmaster to let him know about it.

The email theif logged in from these IPs:

64.124.39.144) wibpssnat01.wirelessinbox.com
and
64.124.39.160) wibno51.wirelessinbox.com

is hostmaster@VIAIR.COM the right place to send logs?

I have also noticed that both these IPs and ev1.com connect to mfnx.net do you think he is sniffing all connnections to my box, and other rackshack servers?

Im not really good at tracking so any information/suggestions would be greatly appreactiated!

Thanks again