I've been following the messages here on the latest code red worm and I've seen several of the entries in my log files (WEBEX.....LOG) WARNING : Log entries with dangerous links : WARNING : Log entries with dangerous links : 61.221.240.50 anonymous - 2001-08-04 14:56:07 GATEWAY - www.worm.com <www.worm.com> - - 2323 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a - 12202 And ... 24.1.178.131 anonymous - 2001-08-04 15:09:34 GATEWAY - 209.151.234.200 168.65.50.21 12345 1933 3818 171 http GET http://168.65.50.21:12345/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX Inet 200 My understanding of the first one is that the 12202 at the ends means that ISA blocked it. But it's the other entry, with the Inet 200 at the end that I'm concerned about. Doesn't 200 mean that it was succesful. I've applied the patches from MS faithfully, and when I try the Coderedchecker program I come out OK. Our IIS Server is on ISA server and I am publishing it with a destination set that uses the IP address of the external NIC which I read below could cause a problem. Will this cause me any problems? Thanks Nick. KCI Computing, Inc. (nick@xxxxxxxxxxx)