Hi Is there a procedure for forcing an ISP to take responsibility for hackers on their network ? I've got this one windows PC hidden behind a unix box. Ports above 1024 are forwarded from the Linux box to the windows box because of netmeeting and a few other things. This PC keeps getting hacked from a subscriber on an Israeli ISP. I've cleaned it 3 times now. Essentially the machine gets compromised with a hacktool and then opens a channel to the IP in Israel after which there is a continous stream at 40 kbps. Dialup modem speed perhaps ? I've emailed the ISP ( barak.net.il ) a couple times and get absolutely no response. Forum messages also indicate that this ISP does not respond to such messages. Norton Antivirus picks up a hack tool only when the pc is scanned but even then cannot identify it beyond stating that it is a hacktool. The filename is disguised as scan.exe in one of the winnt\installer folders If anyone is interested please email me off the list and I'll email you the packet logs. The following is the state of the afected PC when the firewall is not blocking traffic to 82-166-172-38.barak.net.il Example 1 winmgnt.exe:1200 TCP zoo:1337 82-166-172-38.barak.net.il:4241 ESTABLISHED winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:4273 TIME_WAIT winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:4276 ESTABLISHED winmgnt.exe:1200 TCP zoo:1337 zoo:0 LISTENING winmgnt.exe:1200 TCP zoo:43958 zoo:0 LISTENING Example 2 winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2388 TIME_WAIT winmgnt.exe:1200 TCP zoo:1337 82-166-172-38.barak.net.il:2542 ESTABLISHED winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2579 TIME_WAIT winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2586 ESTABLISHED winmgnt.exe:1200 TCP zoo:1337 zoo:0 LISTENING winmgnt.exe:1200 TCP zoo:43958 zoo:0 LISTENING Once traffic to 82.166.172.38/24 is blocked then the trojan kept attempting a connection once every few seconds as follows System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4530 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4569 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4607 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4640 SYN_RCVD and so on.