Well, the point is that this is supposed to be a cracker tool which shouldn't
be easy to see in ps-listings, or with sniffers etc.  It is rumoured to
fiddle with th ps strings constantly and fork itself all the time to not
show up as chewing CPU etc.  It also handles its own transport, just to
be able to hide better.  I have no real proof of its existence, though.

Niklas Hallqvist       Phone: +46-(0)31-40 75 00  Home: +46-(0)31-41 93 95
Applitron Datasystem   Fax:   +46-(0)31-83 39 50  Home: +46-(0)31-41 93 96
Molndalsvagen 95       Email: niklas@appli.se     GSM:  +46-(0)70-714 10 35
S-412 63  GOTEBORG     WWW:   Here
Sweden		       IRC:   niklas (#NetBSD)

On Tue, 21 May 1996, Ken Hornstein wrote:

> >John Woods complained about constant PING messages coming in to his system.
> >
> >Well...
> >
> >Heard a rumour that there's an extremely hacked version of csh out there
> >which makes use of icmp as a transport layer.  You might want to run tcpdump
> >and take a look.
> 
> I have an extremely stupid question - why does csh even _need_ a transport
> layer, since it always is run on top of a pseudo tty?
> 
> --Ken
>