OK, it's an irc bot that got on my system in some way - probably (?) a php exploit. If anyone knows what I have to do to tighten up php to prevent file uploads from inserted urls - help much appreciated! After deleting the bot files in /tmp the tcp traffic to ports 6660-7000 is gone after a system restart. A full upgrade and re-install appears to be in my future . . . Alex === ========= previous message I'm seeing tcp traffic originating from my server going from the 'Registered' ports to the port range of 6660-7000. I do not see a pattern to the destination addresses but there are many. I run 'netstat' fairly regularly and can't recall seeing this before. I've temporarily blocked outgoing traffic to those ports so they are all in the 'SYN_SENT' state. It does not appear to be causing my known apps to suffer?? The server is old - running FC5 with incoming traffic limited to smtp and http by a dedicated firewall/router. The sw is as up-to-date as the FC5 repositories (ie. outdated) I've searched google for known vulnerabilities but have not found anything that matches what I'm seeing. Is it just something I've missed all this time or a true change/problem? If it's a problem, I suppose it's time for an update to something more recent . . . Any ideas / suggestions / help appreciated. Thanks; Alex V. ==== -- This message has been scanned for viruses and dangerous content by Avantel Systems, and is believed to be clean.