You've clipped quite a lot of information from the log, but since the request is being served by "w3proxy" in stead of "w3reverseproxy", it appears that the request is coming from behind ISA. My guess; you have an infected machine behind the ISA server. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Vinaykumar G" <G.Vinay@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 20, 2002 19:25 Subject: [isalist] same www scripts in ISA Logs Urgent!!! http://www.ISAserver.org Hi All, Iam also getting the same scripts in ISA Logs. But I see in my logs the 401 message indicating ISA did not allow the script to be executed, is that the case? Below is the scripts i found in ISA Logs. What is that script www/c/wint/system32..... what exactly is someone trying to do, How do I block these scripts from getting executed. Please let me know urgently. anonymous - N 2002-02-20 01:21:01 w3proxy ISA - www - - - 70 3518 http TCP GET http://www/MSADC/root.exe?/c+dir - - 401 - - - anonymous - N 2002-02-20 01:21:03 w3proxy ISA - www - - - 80 3518 http TCP GET http://www/c/winnt/system32/cmd.exe?/c+dir - - 401 - - - anonymous - N 2002-02-20 01:21:05 w3proxy ISA - www - - - 80 3518 http TCP GET http://www/d/winnt/system32/cmd.exe?/c+dir - - 401 - - - anonymous - N 2002-02-20 01:21:07 w3proxy ISA - www - - - 96 3518 http TCP GET http://www/scripts/..%255c../winnt/system32/cmd.exe?/c+dir - - 401 - - - - - Regards, vinay. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')