Were you/they running telnetd as a service in February? See
On 13/04/07, David Gillett <gillettdavid () fhda edu> wrote:
I've got a Solaris machine on my network that has acquired
an unauthorized behaviour of unknown origin. Every night,
from 1:10:30am until 6:00:30am, it tries to establish outbound
telnet connections to addresses all over the Internet.
The machine is running the SIRSI library application; it's possible
that the vulnerability is associated with that and not generically with
Solaris. We're not heavy Solaris users here, and so IT doesn't support
that machine -- I'm trying to help our SIRSI admin pin down what's going
on so they can determine how to identify and remove the culprit.
Reformat and re-install? It's the only way to be sure you've cleaned
it properly. Probably cheaper than a thorough forensic examination as