Over the last week we had a few Linux servers abused at some member schools. The culprits took advantage of poorly configured squid.conf files that had the default 0.0.0.0/0.0.0.0 statement in the ACL section. We have corrected most of the problem by only letting local LANS use squid. I have one school in particular who is still being abused. It is peculiar because they have a high amount of traffic leaving their network, which seems to mask itself with normal, expected http traffic. It does not run 24/7 like the others who had the squid problem, but only runs during normal school hours and then goes away at night. I am using mrtg to monitor things, and would guess their outbound traffic is running at about a 300 % increase whenever there is a web request. I have asked the tech for the school to examine his local LAN for any devices that can do web caching to see if someone has hacked in somehow. I have looked at our router logs, and can only see port 80 being used. In fact when I disabled http traffic all the suspicious traffic went away. I guess I am wondering if anyone has heard of such a thing, and knows how to find a way to shut this down. It may be a bit off subject at this point since the school is not running any Linux, but rather win2000, and a sonic wall. Thanks in advance -- Raymond Norton Little Crow Telemedia Network 320-234-0270