Exactly. In this case -- working from antique memory here -- Solaris binaries were normally stripped, while the compromised versions placed by the hacker weren't, which was an immediate red flag. The system was compromised as part of a very large-scale, probably North Korean, attack that exploited an OpenWindows buffer overflow bug that was fixed many patch-revs ago by the time I saw the system (and shouldn't have been exploitable over the Internet anyway, but the firewall was also not properly set up at the time of compromise). Drive-by hacking, in other words. Luckily their compromised binaries -- specifically a 'ps' that filtered out the hackers' background attack processes -- weren't particularly robust to arbitrary input.