Those are Nimda scans. Since the response code is "401", ISA tried to allow the request, but authorization failure stopped it. ISA should be blocking those with a 1220x response. How are you publishing your web sites; IP or name? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Vinaykumar G" <G.Vinay@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 13, 2002 22:41 Subject: [isalist] Urgent please!!! http://www.ISAserver.org Hi All, Iam using ISA server in Integrated mode and have published some webservers behind it and I reguralry check the ISA logs and strangely I found the following entries in my ISA log............ What are these entries? please let me know urgently............ anonymous w3proxy ISA http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir - - 401 - - - -anonymous GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - - 401 - - - Regards, vinay. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')