There is a tool floating around called TAP which is a kernel mod that allows you to easily watch streams on SunOs, and capture what a person is typing. It is easy to modify so that you could actually write to the stream thus emulating that person and hijacking their terminal connection. To load the modules, the intruder does a modload to add the module to the kernel. One way to detect the hijacking tool is to do a modstat and see if there is any unfamiliar modules loaded. An intruder could trojan modstat so it might be worthwhile to check the integrity of modstat. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071