Jim, I'm not sure I understand... Don't allow "www" requests to pass? I have a destination setup as follows Destination Set (NFTI) nfti.com www.nfti.com Then I published the site specifying the Destination above Redirecting to it's internal ip address I'm sending the original host header information Left the rest set to it's defaults. q2- are you saying I should publish the server? Then I can get all of the original website details logged to my w3svc logfiles. Then when I run Webtrends it will show who visited our website? Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, February 25, 2002 3:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Question about logs http://www.ISAserver.org Q1 - the entries starting at 2002-02-25 03:03:14 are all Nimda requests that ISA allowed in. You should check out your WPR Dest Sets to ensure that you don't allow "www" requests to pass. The "WEB...log" will be of great assistance to you while you play with them. Any "all destinations" WPR is suspect from the start. Q2 - only by server-publishing, since proxying any request loses the original client IP. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Greg Foulks" <greg.foulks@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, February 25, 2002 10:48 Subject: [isalist] Question about logs http://www.ISAserver.org Sorry about this but it seems that the discussion board is down. I am looking through my W3SVC logs and noticed the following.... #Date: 2002-02-25 02:45:13 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2002-02-25 02:45:13 10.0.0.1 - 10.0.0.32 80 GET /robots.txt - 404 Mozilla/3.0+(Slurp/si;+slurp@xxxxxxxxxxx;+http://www.inktomi.com/slurp.html) 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/root.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /MSADC/root.exe /c+dir 403 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 - 10.0.0.1 is my ISA server and 10.0.0.32 is one of my webservers. Does this mean that my webserver is infected with the Nimda virus or that someone from outside infected with the Nimda and it's trying to attach to my webserver? 1) What can I do to block these requests from in ISA? 2) Is it possible to pass the user data onto the Webserver? It seems that anyone who tries to access my website from the outside is logged as if the request is coming from my ISA server. BTW- My websites are published in the ISA server. Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')