hi list, just curious, if this would ring a bell with someone. Recently I noticed several strange things on one of my boxes (SuSE 8.2 with stock kernel for athlon). Among evidence, that something fishy is going on, I found a rather strange process in psauwx: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 500 72 ? S 2003 0:03 init [3] root 2 0.0 0.0 0 0 ? SW 2003 0:00 [keventd] root 3 0.0 0.0 0 0 ? SWN 2003 0:00 [ksoftirqd_CPU0] root 4 0.0 0.0 0 0 ? SW 2003 0:23 [kswapd] root 5 0.0 0.0 0 0 ? SW 2003 0:00 [bdflush] root 6 0.0 0.0 0 0 ? SW 2003 0:00 [kupdated] root 7 0.0 0.0 0 0 ? SW 2003 0:06 [kinoded] root 9 0.0 0.0 0 0 ? SW 2003 0:00 [mdrecoveryd] root 12 0.0 0.0 0 0 ? SW 2003 0:00 [scsi_eh_0] root 15 0.0 0.0 0 0 ? SW 2003 0:57 [kjournald] at 219 0.0 0.0 1492 104 ? S 2003 0:00 [atd] root 425 0.0 0.0 0 0 ? SW 2003 0:00 [eth0] I have never seen something like [eth0] anywhere else (btw: what's the actual meaning of square brackets? Demons show them to, but these are kernel tasks). Looking at /proc/425 doesn't give any clues, except that it has one file descripter open pointing to /dev/initctl and a PPID of 1. I also found port 6667 to be open, or better "filtered" (nmap). The firewall (self made) doesn't touch it, and I can't associate a process with it (it doesn't accept connections either if simply telnetted to). So the question: Has anyone seen such a thing? I checked with the "checkrootkit" suit, but nothing was found. -- Patrick Ahlbrecht Systemadministration billiton internetservices direct phone: 0271 30386 19