Hi Paul, The way the logs are layed out will show your ISA IP address first then the IP Address of the site that was attempting to talk to your site. In this case most are UDP transports using ports 2629, 2630 etc. They were attempting access to TCP transport 137. Which is a good thing. ISA blocked those. Read up on NETBIOS and directory traversal vulnerabilities. HTH, Joseph ----- Original Message ----- From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 25, 2004 2:05 AM Subject: [isalist] Can anybody here me with IPPEXTD logs http://www.ISAserver.org I am getting the following appearing in my IPPEXTD logs. The first IP address is my external IP address of the ISA server and the second address changes. What is causing this? 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2629 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 91 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 45 00 89 00 3a 2e ed 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2630 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 92 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 46 00 89 00 3a 2e ea 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2631 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 93 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 47 00 89 00 3a 2e e7 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2632 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 94 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 48 00 89 00 3a 2e e4 2004-02-25 00:00:02 195.xxx.xxx.xxx 66.151.150.33 Udp 2629 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 fe 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 45 00 89 00 3a 2e df Paul Crisp Snr Network Support Analyst t: 020 7 827 5201 f: 020 7 827 5266 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')