changing root pbuttword with Knoppix 926

You are in a race. As quickly as you fix the cracker can undo your fix. At least take it off the net for a while while you fix the cracks.

As a minimal effort.

to find all files which have changed since you installed them. (actually you should first reinstall rpm to make sure that it is good) Go through those files and reinstall (--force) all of the rpms containing altered files ( buttuming of course that they are not altered because they are configuration files). Then do find -perm +6000 -ls to find all files which are suid-sgid. Some of course should be. But no file indev,tmp,etc or other such weird places should be. (of course you have to be sure that your find is a good find. You might want to use the find and the rpm from a single disk like Mandrake One of Knopix or whatever.)

Of course. But he may well have a little program which runs and captures the pbuttwords, or bypbuttes them anyway ( replaced login, ssh, telnet programs)

Uh, what this does is to remove the root pbuttword entirely. What you would be better off doing is to use knoppix to set another root pbuttword. and then copy that intoetc-shadow.

You can trust NOTHING on the infected machine.

This is completely off topic isn't it?