I've create a destination set to block code red. By these infected servers are still getting past my ISA server and I can't figure out why. Can someone please help? It looks like this Destination Set-Block CodeRed Destination Path * /scripts/root.exe /c+dir * /MSADC/root.exe /c+dir * /c/winnt/system32/cmd.exe /c+dir * /d/winnt/system32/cmd.exe /c+dir * /scripts/..%5c../winnt/system32/cmd.exe /c+dir * /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir * /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir * /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir * /scripts/..Á../winnt/system32/cmd.exe /c+dir * /scripts/winnt/system32/cmd.exe /c+dir * /winnt/system32/cmd.exe /c+dir * /winnt/system32/cmd.exe /c+dir * /scripts/..%5c../winnt/system32/cmd.exe /c+dir * /scripts/..%5c../winnt/system32/cmd.exe /c+dir * /scripts/..%5c../winnt/system32/cmd.exe /c+dir * /scripts/..%2f../winnt/system32/cmd.exe /c+dir My site and Content Rule "Block CodeRed" is defined as Scope-Array,Action-Deny,Applies To-Any Request,Schedule-Always,Destination-Block CodeRed,Content-All Even with all of this set I still get this trash logging to my webserver's logfiles. /scripts/root.exe /c+dir 404 2 3396 72 47 HTTP/1.0 www - - - 2002-03-04 21:52:51 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /MSADC/root.exe /c+dir 403 5 3439 70 31 HTTP/1.0 www - - - 2002-03-04 21:52:55 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 32 HTTP/1.0 www - - - 2002-03-04 21:52:59 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 31 HTTP/1.0 www - - - 2002-03-04 21:53:03 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 HTTP/1.0 www - - - 2002-03-04 21:53:07 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 31 HTTP/1.0 www - - - 2002-03-04 21:53:11 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 31 HTTP/1.0 www - - - 2002-03-04 21:53:15 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 5 3439 145 16 HTTP/1.0 www - - - 2002-03-04 21:53:19 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 123 0 97 16 HTTP/1.0 www - - - 2002-03-04 21:53:23 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0 www - - - 2002-03-04 21:53:27 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0 www - - - 2002-03-04 21:53:31 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0 www - - - 2002-03-04 21:53:35 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 98 0 HTTP/1.0 www - - - 2002-03-04 21:53:39 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 HTTP/1.0 www - - - 2002-03-04 21:53:43 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 100 0 HTTP/1.0 www - - - 2002-03-04 21:53:47 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 87 0 96 0 HTTP/1.0 www - - - Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Monday, March 04, 2002 2:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] Need Help with a Published Server http://www.ISAserver.org I changed a published website to a published server. Basically I removed the rule from the Web Published rules Then I created a Rule in the Server Publishing Rules that points and external IP to and Internal IP using a Port 80 Inbound protocol. Everything seems to work just fine for awhile then all of a sudden my website stops being served. This error is given in the browser 403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) Internet Security and Acceleration Server If I reboot the ISA server it returns to working for awhile then again it just stops. Does anyone have an idea why this is going on? I shouldn't have to do this in order to serve up a website. Before you ask why I'm using Server Publishing rather than Web Publishing---- I need the detailed info for reporting that server publishing delivers. Thanks for any help! Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')