The following was found in my /var/log/messages file.
[root@has-a RedHat]# grep cigna /var/log/messages
Dec 28 16:12:01 has-a PAM_pwdb: (login) session opened
for user cigna by (uid=0)
Dec 28 16:12:01 has-a login: LOGIN ON ttyp5 BY cigna
However, a grep of /etc/password provided no login
of that name.
I saw no reports of this, and could not search the mailing
list archives, however I did notice another user posted to
dejanews with the same problem.
I have had to disable telnetd, as my entire system was
compromised from this.
I would suggest contacting the sysadmin from the site mentioned in the
/var/log/messages to see if they have a record of a user by that name.
Let them know of the wrongdoing and they should take action.
I would recommend restoring from a previous backup or reinstalling
from scratch and then apply all security updates. I have not been able
to replicate the login in our test lab. Certain important system files
must have been replaced by the intruder to allow logging in by that