Hello, I have unfortunately discovered that telnet was still enabled on a couple of my servers, and feel that is it very necessary to check for exploitation. However I'm having trouble trying to find out what to look for, the only thing I've found is: "An infected system also creates a lockfile in reference to the back door; this will appear as '/tmp/982235016-gtkrc-429249277'. The presence of this lockfile is an indication of a potential infection with the Remote Shell Trojan." I would actually like to know even if I've been hit, not just if the attempt was successful. Can anyone point me to some information on what to look for? P.S. I have not yet figured out if x.c is the same as RST yet :-) ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com