Tue, 24 Feb 2004 17:17:27 -0500.
             <20040224221727.20974.qmail@web41201.mail.yahoo.com> 
 > > If somebody has been in here, what's the best way to recover?
 > > NetBSD 1.6.1, i386.  Full process list is below.
 > > 
 > ..
 > > root      296     1   296 9a1f80    0 Ss   ??   0:12.49
 > > /usr/sbin/cron
 > > root    13252   296   296 9a1f80    0 I    ??   0:00.01
 > > /USR/SBIN/CRON (cron)
 > 
 > Somebody has probably already pointed this out: it seems the fake cron
 > is started from the real one, so the kit probably involves your real
 > crontab. The name of the executable displayed can be changed I think,
 > so it won't be so straightforward. However, you can start with the
 > crontab(s) or the cron executable itself.
 > 
 > You can be sure something like a root kit is installed, because NetBSD
 > (or most unixes) will not by default create directories with uppercase
 > e.g. /USR/SBIN won't exist unless you go out of your way to create it.
 > Preventing it is too late, so I hope others can suggest other ways to
 > find the kit's components.

umm.. hold it a darn second... Cron _DOES_ do that.  I hope you're
not basing the premise that he's been rootkitted by the fact that
there's a "/USR/SBIN/CRON" ...

Add this to your crontab:

*/1 * * * * sleep 45

Then wait a minute.  Then you'll see:

[grok hpeyerl 752 ]; ps -ax | grep sleep
15637 ??  Ss     0:00.00 /bin/sh -c sleep 45 
15639 ??  S      0:00.00 sleep 45 
15643 p9  RV     0:00.00 grep sleep (csh)
[grok hpeyerl 753 ]; ps -ax | grep -i cron
  308 ??  Ss     2:23.50 /usr/sbin/cron 
15635 ??  S      0:00.00 /USR/SBIN/CRON (cron)