On 2014-01-10, agrquinonez <agrquino...@riseup.net> wrote: > I downloaded it from http://ftp.Openbsd.org; yes, it was checked; > DokuWiki came from pkg_add; password is never used; i do ssh-copy-id and > then ssh key + pass-phrase.
Are password logins *disabled* (and if so, where and how), or do you just not use them? How about ftp access, if you're running it, is it anonymous-only (e.g. ftpd -A) or do regular users have access? Faced with this type of situation I'd get the machine offline, put the disk on another (clean) machine - don't boot from it but mount/duplicate the disk - compare (diff) with a clean install of things that are supposed to be on it, looking to see what changes have been made (your config changes, programs that you may have forgotten about, any files that may have been brought over by the attacker, log entries, etc), and look for clues..
