Well, I installed "lsof" and "chkrootkit".
There are not docs or manpages for "chkrootkit".

Anyway, it looks like all the open ports are OK.
That "/USR/BIN/CRON" is still weird.
I'll have to keep an eye on the system, and I may be
doing a reinstall soon.

Thanks,
Roger.

P.S.
 I'll still appreciate any additional ideas to check out
if anybody sends them my way.





 --- On Tue 02/24, Herb Peyerl < hpeyerl@beer.org > wrote:
From: Herb Peyerl [mailto: hpeyerl@beer.org]
To: rgfisch@excite.com
     Cc: michal@pasternak.w.lub.pl, netbsd-help@netbsd.org
Date: Tue, 24 Feb 2004 10:20:33 -0700
Subject: Re: system possibly compromised 

Tue, 24 Feb 2004 12:15:16 -0500.<br>             <20040224171516.DDC5E3CF7@xprdmailfe10.nwk.excite.com> 
 > 
 > $ find /dev -type d
 > /dev
 > /dev/fd
 > /dev/altq

Yeah, that's all good, unless they wrapped "find".  I don't know
if there are any NetBSD rootkits and if there are, I don't know what
they do. I only know what the various Solaris ones do.



_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!