Hello Everyone, I'm running an fc20 Linux linode. I'll admit the past two months I've not been paying as much attention to it as I should, with a bunch of unexpected stresses. That being said it is fully up to date, I do that daily and it is running a firewall as well as the fail2ban software for automated bots defense. Tonight I checked my email and noticed two from an account on my system sent to me that is my account. I've got all root email forwarded to my account to read it. Now two things, first this account shouldn't have got any cron reports, second since I use virtual users and they're all in a database that user shouldn't have been able to send email from my server to me. I checked the account on the server and noticed a hidden directory called .local under which there was a share directory and a system directory under that. Finally there is a broken symbolic link called user which points or pointed I should say to a now nonexistent file and folder which do not exist. I've got an email out to the user, and I've checked the password file for any accounts with login shells, nothing new has come up. If this was an attempted root breakin with a rootkit this user is not in th e sudoers file so I think I'm safe there. I'd like to hear your thoughts on this, and some further steps I can take on this issue to either confirm or refute as to whether I've been breeched. Thanks. Dave.