Quoting Raymond Norton (admin at lctn.org): > Over the last week we had a few Linux servers abused at some member > schools. The culprits took advantage of poorly configured squid.conf files > that had the default 0.0.0.0/0.0.0.0 statement in the ACL section. We have > corrected most of the problem by only letting local LANS use squid. I have > one school in particular who is still being abused. It is peculiar because Network topology switched or shared? If switched, do your switches support port mirroring? Does all the traffic do through a firewall? What I'm getting at is, can snoop all incoming/outgoing traffic somewhere? Install tcpdump and capture a sample of the traffic, or use ethereal to view it and see what's going on. Both tools are in the tclug's greyhatpak. Let's say you are switched, and the switches support port mirroring. At the min, mirror your uplink port (router, dsl modem, etc) to an open port. Plug a linux box into the open port, run ethereal on the that NIC interface and you'll get what you need. If you want to do it remotely, it's little more involved, but.... Let's say you have a linux firewall, ssh to it, install tcpdump, run tcpdump on both interfaces. /usr/sbin/tcpdump -w eth0.pcap -i eth0 -n /usr/sbin/tcpdump -w eth1.pcap -i eth1 -n scp the *.pcap files to your linux box running X, load up the files with ethereal. -- Bob Tanner <tanner at real-time.com> | Phone : (952)943-8700 http://www.mn-linux.org, Minnesota, Linux | Fax : (952)943-8500 http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. Fingerprint: 02E0 2734 A1A1 DBA1 0E15 623D 0036 7327 93D9 7DA3