there is in auth.log:
Dec 16 07:40:08 linux2009 sudo: root : TTY=unknown ; PWD=/ ; USER=myusername ; COMMAND=/usr/bin/gconftool –get /system/http_proxy/use_http_proxy
Dec 16 07:40:08 linux2009 sudo: root : TTY=unknown ; PWD=/ ; USER=myusername ; COMMAND=/usr/bin/gconftool –get /system/http_proxy/host
Dec 16 07:40:09 linux2009 sudo: root : TTY=unknown ; PWD=/ ; USER=myusername ; COMMAND=/usr/bin/gconftool –get /system/http_proxy/port
Dec 16 07:40:12 linux2009 su[12847]: Successful su for nobody by root
Dec 16 07:40:12 linux2009 su[12847]: + ??? root:nobody
Dec 16 07:40:12 linux2009 su[12847]: pam_unix(su:session): session opened for user nobody by (uid=0)
Dec 16 07:41:16 linux2009 su[12847]: pam_unix(su:session): session closed for user nobody

7:40 is time when usually “5ubuntu3: restart” is written in syslog.

and there were SystemToolsBackends.pl running (i even has not known about that script). and there is a strange file that may be not related to this: /sqlvee4zj .

also there is something that gives some suspicion in chat log.

and my password has been changed.

15:28 gmt +3 : i have written about my suspicion in several channels were person about whom i thought that he can be “cracker” or “hacker” and linked to this blog post in the irc network were i am connected much time and have seen that in log in little #test channel where i was connected. then i have been more really attacked today through xchat >2009-12-17 9:36 but i see now that that was not only for me, for all or many chat users<. and i am sorry! i think now may be i have forgotten my password myself!!! because i have changed it just yesterday. i tried several variation today but now i have remembered one thing about the password, it is a pity, i cannot check that now, because i have changed it.

2009-12-17 10:27 : my password has been changed again!