google: initsys rootkit found exactly 1 hit: http://www.giac.org/practical/Edmo_Filho_GCIH.doc and there is to read snip ---- ...and initsys is a session hijacking tool that can be remotely connected by using another session hijacking tool called Hunt. Initsys was listening in the TCP ports 1867, 1868, 1871, 1872, 1880, 1881, 1884, 1885, 2106, 2107, 3464, 4998 and 30009. The results of the strings command executed by using initsys as the input file can be verified in Appendix D of this paper. ---- snap Hope that helps Michael