If this is an IIS server and was previously infected with CodeRed, it can still be hacked into even if the patches are current. Look for root.exe in the inetpub\scripts directory. Symantec's site has removal instructions if that's your problem. >>> [log in to unmask] 11/01/01 03:11PM >>> Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in september. It was formatted and reloaded from a sept 8 backup, fully patched according to microsoft downloads and yet it has been exploited again. I am obviously missing something but I don't know what. I had noticed unusual activity and had the box off the wire before Gene's email went out. I was probed by 210.178.12.111 and 35.8.195.55 but my log shows 404's so I don't know how the heck they got in. Any help in buttoning this up would be much appreciated. Michael Hoxsey Network Admin Arts and Letters