Personal computer hacked: How do I block this user from logging in again? How do I find out how they are logging in?

Wipe the hard drive and reinstall your operating system from scratch.

In any case of unauthorised access there is the possibility the attacker was able to get root privileges, so it is sensible to assume that it happened. In this case, auth.log appears to confirm this was indeed the case - unless this was you that switched user:

Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root

With root privileges in particular, they may have messed with the system in ways which are practically impossible to fix without a reinstall, such as by modifying boot scripts or installing new scripts and applications that run at boot, and so on. These could do things like run unauthorised network software (ie to form part of a botnet), or leave backdoors into your system. Trying to detect and repair this sort of thing without a reinstall is messy at best, and not guaranteed to rid you of everything.


It looks like someone opened a guest session on your laptop while you where away from your room. If I were you I'd ask around, that may be a friend.

The guest accounts you see in /etc/passwd and /etc/shadow are not suspicious to me, they are created by the system when someone open a guest session.

Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root

This line means root has access to the guest account, which could be normal but should be investigated. I've tried on my ubuntu1404LTS and don't see this behaviour. You should try to login with a guest session and grep your auth.log to see if this line appear everytime a guest user logs in.

All the opened windows of chrome, that you've seen when you opened your laptop. Is it possible that you were seeing the guest session desktop ?