ok, having seen numerous comments (and numerous requests for the file), i have decided to punt the list to cert.org and let them deal with it. - as much as i'd like to, i don't have the time/energy to run through the list and contact each netadmin. i've walked that trail before while attempting to nip a few DoS attacks. - i will not send the list to anyone other than cert, unless suggestions can be made for other "authorative" groups who will maybe pick up the task of contacting the netadmins in the list my suspicions and some things to look for: - boxes were comprimised using the buffer overflow in telnetd (speculation) - my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary) - nscd appears to be a hacked sshd, listening on a 14000 series port - it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*) - there was a file in /dev/ptaz which appeared to be DES crypto gunge - there were a bunch of irc/eggdrop related files in a ".e" directory of one of the user's $HOME suggestions for looking about: - do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files with the same timestamp - do a "du /dev" and look for anomalies - do a "cd /dev ; ls -l | grep -e-" and look for anomalies - do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]