Sushil, URLScan will prevent logging of these. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ tools/tools/urlscan.asp ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, April 10, 2002 9:51 AM Subject: [isalist] Re: Code Red/Nimda > http://www.ISAserver.org > > > It would appear that you've either: > 1. used packet filters or server publishing to publish that site > 2. used an "any request" destination in a web publishing rule > 3. used an IP address in the destination set for the web publishing rule > 4. turned off packet filtering > ..the list goes on. > > All web sites should be web-published and specific destinations defined for > each. > This will allow the ISA Web Proxy service to act as a URL filter for you and > block this stuff by default. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/authors/harrison/ > Read the books! > ----- Original Message ----- > From: "Sushil Bhalla" <sushilb@xxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, April 10, 2002 3:09 AM > Subject: [isalist] Code Red/Nimda > > > http://www.ISAserver.org > > > Hello All, > > I have SBS2000 (W2K with SP2, E2K with SP1, ISA2K, IIS) all installed on > one server. > > I am getting a lot of following entries in my IIS logs from different IPs: > > 2002-04-09 21:20:36 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /scripts/root.exe /c+dir 404 3 3396 72 62 HTTP/1.0 www - - - > 2002-04-09 21:20:42 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - - > 2002-04-09 21:20:43 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 15 HTTP/1.0 www - - - > 2002-04-09 21:20:45 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - - > 2002-04-09 21:20:47 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 0 HTTP/1.0 > www - - - > 2002-04-09 21:20:49 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 > 117 0 HTTP/1.0 www - - - > 2002-04-09 21:20:50 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 > 117 0 HTTP/1.0 www - - - > > > I know 404 IS GOOD SIGN for me. But what can I do to prevent even logging > of these entries. What Service Packs or patches are needed and where can I > get these. > > Thanks in advance for all your help. > > Sushil Bhalla > Imageware International > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')