Sounds like some one's web server is not properly configured and patched. Ever hear of URLScan and IIS Lockdown? John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Crockett, Gregory Sent: Friday, June 02, 2006 8:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Spykids defacement One of our web sites, www.servicesatrandolph.com <http://www.servicesatrandolph.com/> was defaced by Spykids. The defacement consisted of: spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykid\n\ According to the ISA WebProxy, the Client Agent used was: Microsoft Data Access Internet Publishing Provider DAV 1.1, with the Operation "PUT". They changed the default.* file. Since, I turned on HTTP Filter to block the PUT Method. Will this stop the above intrusion? Is there anything else I can do to block this intrusion? Speaking of the proxy log - what's up with the ClientIP field? Should I have a decoder ring to crack the IP address? The IIS log revealed the ip address originated in Argentina. TIA greg All mail to and from this domain is scrutinized by the Scrutinizer.