The following was found in my /var/log/messages file. [root@has-a RedHat]# grep cigna /var/log/messages Dec 28 16:12:01 has-a PAM_pwdb[3860]: (login) session opened for user cigna by (uid=0) Dec 28 16:12:01 has-a login[3860]: LOGIN ON ttyp5 BY cigna FROM webmaxx.colo.onramp.net However, a grep of /etc/password provided no login of that name. I saw no reports of this, and could not search the mailing list archives, however I did notice another user posted to dejanews with the same problem. I have had to disable telnetd, as my entire system was compromised from this.
I would suggest contacting the sysadmin from the site mentioned in the /var/log/messages to see if they have a record of a user by that name. Let them know of the wrongdoing and they should take action. I would recommend restoring from a previous backup or reinstalling from scratch and then apply all security updates. I have not been able to replicate the login in our test lab. Certain important system files must have been replaced by the intruder to allow logging in by that name.