Hi, In september we had an incident on old SuSE 6.3 stations with the root kit tool duarawkz (well known irc DoS tool: http://lists.insecure.org/incidents/2001/Mar/0141.html) We updated all 6.3 stations to SuSE 7.2. We supposed that the hacker came trough the security hole within rpc.statd, rpc.kstatd from NFS, which is announced for SuSE 6.x in august 2000. The Security announcement told SuSE 7.x isnt vulnerable. Now we had another incident with duarawkz on an SuSE 7.0 station - so my questions are: 1) Is SuSE 7.x really not vulnerable regarding to the NFS hole of rpc.statd? 2) Does anyone know incidents with duarawkz a bit in detail and can tell me one or more popular entry ports used by the tool? Until now I dont know the vulnerability duarawkz came trough into the 7.0 station - and maybe I have to reinstall all machines every week. Thats not an acceptable alternative solution. Thanks for help, Bye, Annette Sysadmin IfM Technical University Berlin Germany