it seems like my server is getting hacked over and over and over and over..by the same 2 ip address. I have all the security updates available, i have my firewall enabled, im behind a router... here is an example of the attempts: 67.172.2.184 - - [23/Jun/2005:18:12:18 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1011 67.172.2.184 - - [23/Jun/2005:18:12:18 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1011 67.172.2.184 - - [23/Jun/2005:18:12:18 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1011 67.172.2.184 - - [23/Jun/2005:18:12:19 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1011 67.172.2.184 - - [23/Jun/2005:18:12:19 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 236 67.172.2.184 - - [23/Jun/2005:18:12:19 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 236 67.172.2.184 - - [23/Jun/2005:18:12:20 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 236 67.172.2.184 - - [23/Jun/2005:18:12:22 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 236 67.172.2.184 - - [23/Jun/2005:18:12:22 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 236 this b---tard especially, tries to hack me, every hour atleast.what am i doing wrong?

I show that IP as being hsd1.ct.comcast.net. Does that help you at all?

Those are nimda worm scans. See here for more details - in particular, scroll down to the "system footprint" section for a list of log entries you can expect to be generated by nimda. Any public web server will be subjected to these periodically. The presence of those lines in your log files alone does not indicate that your server has been compromised or that you are the target of a directed attack. There is nothing to worry about as long as your server is patched and secured. >>this b---tard especially, tries to hack me, every hour atleast This "b*!@~*&%" is almost certainly an unwitting participant in the attack. His box is compromised and is being used to scan your server, among many thousands of others. Your time would be much better spent securing your systems rather than trying to react every time you are probed for vulnerabilities. >>what am i doing wrong? As far as I can see, nothing. You say your system is patched, which is good. That, and securely configuring your OS and daemons, are about 90% of what you need to do. I can recommend a few good mailing lists to subscribe to if you want some good reading on those subjects.