mystery login

[mfa298]

OK I failed on that !
But root password didn't change.

Any files of interest ?
Thanks
Jim

With root access via the Pi account they could have:

• added some ssh keys to root to allow them in
• installed a backdoor that allows them in
• work out what the root password was from the stored hash

On the new Pi personally I'd create a new user with a strong password and then remove the Pi user. Then use my new user when connecting in. When you need a root shell either use "su -" if you set a root password or "sudo -i" if not.

If you've got services open to remote access then consider locking down what can access them or running on an obscure port. Also remember to keep everything regularly updated. If you had some webapp installed and accessible it's possible the initial access was through that.