Having a bit of trouble with a Ubuntu 9.04 system - the hard disk is getting full, all the time. df and du are listing true (I believe) sizes of files, whereas the GUI application Disk Usage Analyzer is telling me that the usage is 18Gb out of 35Gb. Using lsof, poking around a bit, I found this: Code: wayne@workpc:~$ lsof +L1 COMMAND PID USER FD TYPE DEVICE SIZE NLINK NODE NAME python 3378 wayne 9r REG 8,1 1460 0 314799 /etc/passwd (deleted) According to a website I read, any open file with a link count of less than one is supposedly someone trying to hide something. The fact that they're trying to hide something to do with /etc/passwd using python is pretty alarming to me. Has something happened to this system? When setting up ssh logins so I could remotely administer it (its my dads work PC), I stupidly left ssh open to the internet on port 22 with the password the same as the username - I quickly fixed my error 20 minutes later when I was home again, but obviously this 20 minute window was large enough. I've instructed him to disconnect the network cable until I can see to it properly. Any comments, scaldings, insults or help appreciated.