The damned thing continues to burn bandwidth here. My IIS systems were patched long ago and my Apache servers are inherently immune. But, that does not prevent vulnerability scans and it's those scans that are burning the pipe. Firewalling the scans sort of blocks those services too. So, that isn't the answer. Fortunately, I have long been a fan of having really huge boxen sip their internet through straws (any single box can saturate the uplink (100baseTX), at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my servers are just loafing. Still, this comes real close to being a DDOS attack because the WAN port is showing almost 40% usage from scans right now. I'm real glad that I have another set of zone servers, piggy-backed in AboveNet. Has anyone made any progress towards locating origination of these worms? They seem to be steadily mutating. This means that a/some programmer(s) is/are behind this somewhere. I'm sure that I'm not the only one that wants to know. -- R O E L A N D M J M E Y E R Managing Director Morgan Hill Software Company tel: +1 925 373 3954 cel: +1 925 352 3615 fax: +1 925 373 9781 http://www.mhsc.com