This is the relevant output after the third attack on skillz.303.org where
the attacker RMd the system. Once again.. not much to go on.

The only thing that stands out in each case is a connection from stat-51.shoes.org
in each case. Before the attacks, during the attacks, and minutes after
the machine was RMd.

=-=

Feb 12   9:50 range
skillz.303.org - recursive RM started. Following directories affected: 
/home   /usr/lib	(/home/lstaley preserved because of chattr)

=-=

Who was on the machine when it happenened... 'discore' is the only unverified user
at this point, and we are trying to get in touch with him. The rest were the
actual users. If discore is not legit, that is the account used.. if he is, the
system was backdoored.

  9:50am  up 17:05,  5 users,  load average: 0.50, 0.26, 0.14
USER     TTY      FROM              LOGIN@  IDLE   JCPU   PCPU  WHAT
netmask  ttyp1    xenos.dimensiona  4:57pm  0.00s  0.39s  0.03s  w
discore  ttyp2    slc647.modem.xmi  8:59pm 12:36m  0.08s  0.08s  -bash
polymorf ttyp3    modem15.powersit  9:10pm 12:34m  4.02s  3.94s  BitchX
cavalier ttyp4    hyper.dimensiona  9:21am  1:02   0.86s  0.79s  pine
liz      ttyp5    ppp-207-204-90-9  9:34am  4:48   2.82s  2.76s  BitchX

=-=

The only netstat connections that can't be explained. 'shoes' was in all four 'netstat' 
outputs at all phases of the attack.

bash# netstat -a

tcp        0      0 skillz.303.org:8334     stat-51.shoes.org:12052 ESTABLISHED
tcp        0      0 skillz.303.org:8311     www.airmail.net:6661    ESTABLISHED