Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in september. It was formatted and reloaded from a sept 8 backup, fully patched according to microsoft downloads and yet it has been exploited again. I am obviously missing something but I don't know what. I had noticed unusual activity and had the box off the wire before Gene's email went out. I was probed by 210.178.12.111 and 35.8.195.55 but my log shows 404's so I don't know how the heck they got in. Any help in buttoning this up would be much appreciated. Michael Hoxsey Network Admin Arts and Letters