Installing packages, updating packages, removing packages. These basic operations result in lots of tripwire noise. Was the change to /usr/sbin/zic part of a legitimate update, or a super-secret-stealth attack? At this point I wish I could md5sum every binary and library file managed by the OS and compare that to some authoritative source. Yay, Josh