I was looking at traces of an eject exploit and I am puzzled which other indicators other than buffer overflow can show that the attack is going on. Is it legal to perform two execve sys calls during the eject program execution? I also noticed some irregularities with stat sys call arguments and, of course, pipe and fork sys calls (but then it's too late to detect an attack). Does anybody know what are other indicators of eject exploit? Also, can somebody help me out to detect ftp-write exploit? What are the features of the signature?