jsWalter <mailto:jsWalter at torres.ws> on Tuesday, August 12, 2003 11:47 PM said: > Some amateur has been pounding my server for weeks now... > > GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir It's most likely other machines that are infected with the nimda and/or codered worm. I don't know if the web server you are using can utilize ISAPI dll's like IIS can, but you should look into URLScan from Microsoft. It's a free utility that will filter out the GET requests received by the server. It's already got a pretty good default config file (iirc) so there may not need to be any tweaking on your part. What this program will do is, before the GET request is even seen by IIS it will have to go through the URLScan filter. If the request does not match any of the patterns (can't remember if they are regex or not, I sort of don't think they are) in the config file it will send the request to IIS. Conversely if it DOES match a pattern it is logged and then discarded. The webserver never even knows it happened. HTH, Chris.