In case this helps anyone: >>>>> Thus spake "Ionel Chila" There is a quick perl script that can detect the ramen worm. I also have the source code for the worm if anyone interested. Regards #!/bin/perl # Script that checks for signs of ramen infection # $detected = 0; print "Ramen worm checker.\nChecking...\n"; open(F,"/etc/redhat-release") ; print "You are running ",<F>,"\n";; close(F); @suspect = ("/usr/src/.poop", "/usr/src/.poop/ramen.tgz", "/tmp/ramen.tgz"); foreach (@suspect) if(-e) { print "found $_\n"; $detected++; } } open(N, "/bin/netstat -an|") or print "Could not open /bin/netstat\n"; while(<N>) { if (/:27374.*LISTEN/) { print "Ramen webserver detected on port 27374\n"; $detected++; last; } } close(N); if ($detected) { print "$detected telltale signs of ramen found. Get professional help\n"; } else { print "Wheee! No ramen signs found!\n"; } Rusty Carruth Email: [EMAIL PROTECTED] or [EMAIL PROTECTED] Voice: (480) 345-3621 SnailMail: Schlumberger ATE FAX: (480) 345-8793 7855 S. River Parkway, Suite 116 Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825 ICBM: 33 20' 44"N 111 53' 47"W