From Symantec: http://www.symantec.com/avcenter/ "Trojan.Linux.Typot is a trojan horse affecting Linux systems. It generates TCP packets with a window size of 55808. Also Known As: 55808, Stumbler Type: Trojan Horse Infection Length: variable Systems Affected: Linux Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX Every second, Trojan.Linux.Typot sends a spoofed TCP packet on the network. The source and destination IP addresses of the packet are picked randomly. The packet has some fixed characteristics, including the TCP window size, which is set to 55808. Additionally, Trojan.Linux.Typot attempts to sniff network traffic, listening for packet that have a TCP window size of 55808. When such a packet is detected, Trojan.Linux.Typot creates a file called "r" in the current directory. Every 24 hours, Trojan.Linux.Typot checks if the file "r" has been created and, if this is the case, it attempts to connect to a fixed IP address (probably a machine controled by the author of the trojan) on port 22/tcp (the SSH port). If the connection succeeds, Trojan.Linux.Typot deletes the file "/tmp/.../a" and exits. The deleted file may be the trojan executable itself. Trojan.Linux.Typot is statically linked against the libnet and libpcap libraries that it uses to forge and capture network traffic. It is also encrypted with the cryptelf utility." Regards, Jade .