Well the lame moderator at intrusions@incidents.org will not let this message pass. Anyone have any ideas ? Sorry as this is off topic, too bad a security list has problems with questions like this ! I would like start having support call infected users, once the storm passes. james : ----- Original Message ----- : From: "james" <jamesh@cybermesa.com> : To: <intrusions@incidents.org> : Sent: Wednesday, August 13, 2003 2:46 PM : Subject: Detecting worm infection by remote : : : : I am trying to build a list of infected users, is it possible to just nmap : : tcp port 4444 ? Does anyone know of a scanner I could use ? We had : : to lock ports 135-139 down all over the state to bring this under control : : as the users were scanning local users & causing slowdowns. So I cannot detect infections via : : port 135-139 tcpdumps or Snort. : : : : James Edwards : : Routing and Security Administrator : : jamesh@cybermesa.com : : At the Santa Fe Office: Internet at Cyber Mesa : : Store hours: 9-6 Monday through Friday : : : :