Hi all,
I am posting this comment to see if there isn't a security hole in the VMware Server Console Connection.
It seems that a RootKit called:
sucKIT (Version 1.3a, Jun 5 2006)
was able to sneak into my VMware host servers (Linux RedHat AS3 & AS4) using the VMware Server Console Port.
In order to increase the security of my opened port in my firewall, I am used to change the default port proposed. In this case, I have overwrite the port from 902 to 10902. Since then I have 3 servers out of 5 that have been bombed by "sucKIT".
Here is the description of each server configuration and option.
Site1 - RedHat AS3 - VMware server 1.0.1.29996 - Port 10902 Open on Firewall
Site2 - RedHat AS3 - VMware server 1.0.1.29996
Site3 - RedHat AS4 - VMware server 1.0.1.29996
Site4 - RedHat AS4 - VMware server 1.0.1.29996 - Port 10902 Open on Firewall
Site5 - RedHat AS3 - VMware server 1.0.1.29996 - Port 10902 Open on Firewall
All site where the port 10902 is opened and mapped to the VMware Host server, the machine has been infected by the "sucKIT" RootKit. I have reinstall RedHat on all infected machine (the only way to get rid of "sucKIT") and disable the incoming VMware Server Console Port (10902) on all concerned Firewalls. Since then (3 days) the machines hasn't been infected yet (checking done by running rkhunter).
I don't know if the problem is link to the VMware Server Console Network Protocol that permits the Rootkit "sucKIT" to be installed on the host or if its the combination of VMware Server Console and the port 10902.
I am just posting this add, in order to understand and, maybe, try to protect over users from being attacked by "sucKit". Reinstalling RedHat servers isn't a very interesting work 
Waiting for some comments,
O&O G.Mamahoo