Sorry about this but it seems that the discussion board is down. I am looking through my W3SVC logs and noticed the following.... #Date: 2002-02-25 02:45:13 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2002-02-25 02:45:13 10.0.0.1 - 10.0.0.32 80 GET /robots.txt - 404 Mozilla/3.0+(Slurp/si;+slurp@xxxxxxxxxxx;+http://www.inktomi.com/slurp.html) 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/root.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /MSADC/root.exe /c+dir 403 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 - 10.0.0.1 is my ISA server and 10.0.0.32 is one of my webservers. Does this mean that my webserver is infected with the Nimda virus or that someone from outside infected with the Nimda and it's trying to attach to my webserver? 1) What can I do to block these requests from in ISA? 2) Is it possible to pass the user data onto the Webserver? It seems that anyone who tries to access my website from the outside is logged as if the request is coming from my ISA server. BTW- My websites are published in the ISA server. Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005