A hacker gained root access to my system apparently via 'lpd'. The evidence I have that 'lpd' was comprimised are two facts: some of the original files were created with group 'lp' the 'rootkit' scripts used by the hacker after gaining access removed/replaced 'lpd' for no apparent reason. I have file a report with CERT. I have a copy of all the 'rootkit' scripts used by the hacker.
Did you update LPRng as suggested by Red Hat's security advisory issued several months ago? See: http://www.redhat.com/support/errata/RHSA-2000-065-06.html
looks like the ramen worm or a variant. Yes, it should have been closed by the errata.