On Fri, Feb 20, 2009 at 2:57 PM, Yigit Turgut wrote: > Your first action must be to seperate your network from wan.Local port > scanning might not give any accurate results because botnets generally use > reverse connection for command input.This is why some sniffing is essential > here.Find outgoing connections (like port 6000 that irc uses) using > wireshark and save the source address.This is a node where you may use it > later to spot your attacker. I've been watching the computers that may be affected with wireshark and while I see a bunch of DNS requests (and netbios name requests) I have no idea if that's normal since they aren't connected to a DNS server when I'm running those tests. Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist