Hi Raji, Looks like URLScan caught these requests. Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] Sent: Tuesday, February 25, 2003 6:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Feature Pack 1 - URLScan http://www.ISAserver.org Hi Tom Thanks I asked because the rest of the rouge requests gets stopped by the URLScan and don't appear in the logs. I use "www" is a last resort before the default to deny in the Destination Sets. [02-26-2003 - 12:32:52] Client at 217.96.188.1: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='*****', Raw URL='/scripts/root.exe' [02-26-2003 - 12:32:54] Client at 217.96.188.1: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='*****', Raw URL='/MSADC/root.exe' [02-26-2003 - 12:32:56] Client at 217.96.188.1: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='*****', Raw URL='/c/winnt/system32/cmd.exe' [02-26-2003 - 12:32:57] Client at 217.96.188.1: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='*****', Raw URL='/d/winnt/system32/cmd.exe' [02-26-2003 - 12:32:59] Client at 217.96.188.1: URL normalization was not complete after one pass. Request will be rejected. Site Instance='*****', Raw URL='/scripts/..%255c../winnt/system32/cmd.exe' [02-26-2003 - 12:33:01] Client at 217.96.188.1: URL normalization was not complete after one pass. Request will be rejected. Site Instance='*****', Raw URL='/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe' [02-26-2003 - 12:33:03] Client at 217.96.188.1: URL normalization was not complete after one pass. Request will be rejected. Site Instance='*****', Raw URL='/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe' . . .snipped . Cheers --------------------------------------------- Raji Arulambalam Systems Administrator Environment Bay of Plenty P O Box 364 Whakatane. NEW ZEALAND -------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, February 26, 2003 1:03 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Feature Pack 1 - URLScan http://www.ISAserver.org Hi Raji, You don't even need to use URLScan to block those. I'm sure you are not using "www" in your Destination Sets, and you would never use IP addresses in your Web Publishing Rule Destination Sets, so you're not going to be whacked by those and they should never appear in your Web server log, only in the Web Proxy log. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] Sent: Tuesday, February 25, 2003 5:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] Feature Pack 1 - URLScan http://www.ISAserver.org Hi What needs adding to the URLSCAN.ini file to catch these attacks.?? 217.96.188.1 anonymous - N 2003-02-25 23:33:19 w3proxy CELERIS - www - - - 96 3551 http TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir - - 502 - - - I have added these various combinations '.exe?' , '?/' , '/c+' to the ini file, but non seem to catch this. I want to remove this so it does not clog up my iis server logs. Any clues.???? --------------------------------------------- Raji Arulambalam Systems Administrator Environment Bay of Plenty P O Box 364 Whakatane. NEW ZEALAND -------------------------------------------- ****************************************************** This e-mail has been checked for viruses and no viruses were detected. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')