Let's see, you have a RH6.2 machine hooked up on the internet, stock install, no updates. Running off a @home cable modem in Tucson, AZ. (Why are you asking the Twin Cities Linux User Group? :) First off, bad bad bad bad! I want the Junkyard Wars 4th of July special car crushing machine as a lart! :) Your worst case scenerio is that you got hit by the bind worm and your computer is now looking for other vunerable bind installs. Since you're unpached you should take the box in question offline YESTERDAY and downloaded the updates for RedHat 6.2. Check the RedHat site for info on the worm (what was it? lion? ramen?) If it turns out you're infected with the worm, you may as well nuke everything but /home and install the latest Red Hat (or use the oppertunity to be converted to Debian or <insert distro here>) and play with stuff like XFS/ReiserFS. If you've ruled out worms and the like, are you actually running bind on your box? If so, what does your /etc/resolve.conf look like? Using you're isp's nameservers or just localhost? Check named.conf, using any forwarders? If you're just using localhost AND the machine in question is listed as a DNS server for a domain, the admin of the other machine needs to get his head outta his ass. :) If on the other hand your machine has no business going to his box for DNS info, then yeah, could be a problem there. The Institute for Security Technology Studies and SANA came up with a lionfind tool: http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm http://www.sans.org/y2k/lion.htm Grab it and run. All I can think of for now, hope you found something helpful in all that. Andrew S. Zbikowski | http://www.ringworld.org "We can learn much more from wise words, little from wisecracks and less from wise guys." --William Arthur Ward