The good news is: 1. all the requests came from outside (W3ReverseProxy), so you don't seem to have an infected machine inside 2. all the requests (www = Nimda, www.worm.com = Code Red) were rejected by ISA (12202 and 12005) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Morvan Daniel Muller" <morvan@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 20, 2002 13:39 Subject: [isalist] www.worm.com in ISA Logs http://www.ISAserver.org ---------------------------------------------------------------------------- ---- Hello! I found in my ISA Logs "www.worm.com" ... It mean that my ISA box was compromised, or was used to attack other machines on the internet? Log attached "WEBEXTD20020212.log" - 26 Kbytes. PS: Server99 is my ISA's box hostname! On my ISA box, I have ISA sp1 applied and the last patch "w2kSP2SRollUPack1.exe" for win2000 server. Morvan. ---------------------------------------------------------------------------- ---- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')