Yes, but just because the front door of the building has a security guard standing there checking everything and everyone out next you do not assume some one in the building is free to do what ever they please. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Crockett, Gregory Sent: Friday, June 02, 2006 10:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Doesn't ISA block the same HTTP request as Urlscan? greg _____ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 12:27 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Sounds like some one's web server is not properly configured and patched. Ever hear of URLScan and IIS Lockdown? John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Crockett, Gregory Sent: Friday, June 02, 2006 8:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Spykids defacement One of our web sites, www.servicesatrandolph.com <http://www.servicesatrandolph.com/> was defaced by Spykids. The defacement consisted of: spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykid\n\ According to the ISA WebProxy, the Client Agent used was: Microsoft Data Access Internet Publishing Provider DAV 1.1, with the Operation "PUT". They changed the default.* file. Since, I turned on HTTP Filter to block the PUT Method. Will this stop the above intrusion? Is there anything else I can do to block this intrusion? Speaking of the proxy log - what's up with the ClientIP field? Should I have a decoder ring to crack the IP address? The IIS log revealed the ip address originated in Argentina. TIA greg All mail to and from this domain is scrutinized by the Scrutinizer.