From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 17 18:50:48 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3706537B401
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jun 2003 18:50:48 -0700 (PDT)
Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62])
	by mx1.FreeBSD.org (Postfix) with SMTP id 21C7C43FAF
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jun 2003 18:50:47 -0700 (PDT)
	(envelope-from jaime@snowmoon.com)
Received: (qmail 166 invoked from network); 18 Jun 2003 01:50:46 -0000
Received: from alb-24-195-205-90.nycap.rr.com (HELO snowmoon.com)
	(24.195.205.90)  by 10.5.1.62 with SMTP; 18 Jun 2003 01:50:46 -0000
Date: Tue, 17 Jun 2003 21:50:36 -0400
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
To: Bill Moran <wmoran@potentialtech.com>
From: Jaime <jaime@snowmoon.com>
In-Reply-To: <3EEFC22E.3040105@potentialtech.com>
Message-Id: <4195050A-A12F-11D7-8F3A-000393193538@snowmoon.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
cc: freebsd-questions@freebsd.org
Subject: Re: ping: sendto: No buffer space available
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2003 01:50:48 -0000

On Tuesday, June 17, 2003, at 09:36  PM, Bill Moran wrote:
> I found a web page that claims that nscd is a Debian program called
> "name service cache daemon". (Cache only DNS server?)  So if it's 
> connecting
> to any port other than DNS, it's probably a trojan pretending to be 
> nscd.

	I think that I found the same page.  I agree with your assessment.  
The IP address that it is attempting to connect to is not found via 
traceroute and is registered to what appears to be a Russian ISP.  How 
odd....

	I'll be grabbing new source code and recompiling everything tomorrow.  
The box was running 4.7-Stable anyway.  :)  The troubling part is that 
the process claims to be /usr/sbin/nscd, but that file doesn't exist.  
I'll have to see how they did that with lsof, mergemaster, etc.

								Jaime