hard link backup failed


Today I got this error on daily backups: "The following hard links have been found"
I can see one of my new users have files in his public_html with names like "etc/passwd etc/quota …" but all files are empty.
Is he trying to hack the server’s passwords?
Is my DirectAdmin safe now?
What should I do to prevent this kind of attacks?