I spoke with a person that claimed to understand the attacks that are going on, while I have no proof, I offer this as an example of what to look for on your own systems. So I am presenting this only as a possible example of what has taken place, and until proven correct I concede this is only a "rumor." Basically it began by combining many scripts already in use for scanning system security holes, the script initially scans a range of IPs scanning each target system for various known exploits, once a system is compromised, the second half of the attack goes into effect. I believe it uses some form of remote execution via rcp once its been compromised to copy and execute what seems to be a specially made "DoS Daemon" to the host, once there it this daemon runs waiting to receive its orders from the people who put it there. Therefore, once enough systems were compromised in this fashion and enough systems on the net were unknowingly running this daemon, the attackers simply gave the order to hit the targets this week and their daemon's went to work. With this in mind we would need someone to find a box with this daemon on it so we can find a way to detect its existence on other systems. Logically, since the compromise of the systems was done with a script, this "DoS Daemon" would be setup the same way on every compromised system. Therefore, if someone can find it on one box, we will know exactly what to look for on other hosts. This of course will only help us if our own systems have been compromised and wouldn't be of any use at all for those boxes not within our control. One final note, a friend from Verio suggested that in the above scenario that this daemon would probaly be using TCP to be communicated with as UDP is more difficult for alot of people to code. Rodney L. Caston Southwestern Bell Internet Services