If you've seen either iteration of the code red worm in their IIS or ISA logs, check to see if you have "root.exe" in your inetpub\scripts directory, or "explorer.exe" in your root dir. If you have either file, MS recommends rebuilding the server. Unfortunately, I know this first hand. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, August 06, 2001 5:53 PM Subject: [isalist] Re: blocking Code Red > http://www.ISAserver.org > > > It doesn't; not as such. It simply doesn't recognize it as a valid request > as defined in your publishing rules and refuses it on that basis. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Monday, August 06, 2001 2:28 PM > Subject: [isalist] blocking Code Red > > > http://www.ISAserver.org > > > Upon examining my ISA logs, I see that it has denied access approx. 20 times > per day to both versions of Code Red queries. My question is.. how does it > identify this request as malicious? > > Thank you, > Scott Talley > The Combined Group > > phone: 972.247.2621 x829 > fax: 972.247.2622 > e-mail: stalley@xxxxxxxxxxxxxxxxx > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')