It might be of interest that one or two of the (very many) machines that succumbed to the Code Red worm have come back to test port 111. It might be coincidence, but port 111 does have vulnerabilities for anyone not running the very latest rpc (if it is running). D. Stimits, stimits at idcomm.com