> I imagine that it's probably welchia or blaster... try this on your > firewall box (or another box that sees a lot of traffic): > tcpdump -qn icmp and ip[40]=0xaa > will detect welchia traffic... if that gets you no where then check > out this link: That did the trick. Took about two seconds to figure out which machine was infected, using that. Thanks! Next I'll be looking into Snort, or something akin, to continuously monitor the network for suspicious traffice.... TTYL, Phillip Rhodes Application Designer Voice Data Solutions 919-571-4300 x225 [EMAIL PROTECTED] Those who are willing to sacrifice essential liberties for a little order, will lose both and deserve neither. - Benjamin Franklin This country, with its institutions, belongs to the people who inhabit it. Whenever they shall grow weary of the existing government, they can exercise their constitutional right of amending it, or exercise their revolutionary right to overthrow it. - Abraham Lincoln No citizen shall be denied the right to bear arms, if as a last resort, to protect themselves from tyranny in Government. - Thomas Jefferson -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
