obviously nimda runs through IIS...however if nimda got in its quite possible that anyone else could have gotten in too. have you figured out whats runnin on that port? try to web browse to it? or...