Hi, NANOGers. ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. A growing trend in the "0wnage" category is the installation of multiple bots on a single host. This isn't intentional, but a result of the multiple infection vectors bots employ. Bot01 goes after open Win2K shares (TCP 445), and Bot02 comes along and enters through Kuang2 (TCP 17300). One of the more popular bots has at least 13 distinct scan and sploit methods. WebDav, NetBios, MSSQL, Beagle, Kuang2, and the list goes on. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. One bot, Coldlife, actually took advantage of this trend. It would hunt for certain bot configuration files on the host it infected, and report the contents to the Coldlife botherd. Ka-ching, another botnet stolen. Things have evolved in a distributed manner from this feature. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);