I just need a quick log file question answered. I've got the following in my protection log: 11:53:28 AdminAccount MESSAGE Protection started successfully 11:53:32 AdminAccount MESSAGE IP Protection started successfully 11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:40 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 11:59:56 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:09:34 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:19:53 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:20:01 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:20:17 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:01 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:09 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:41:25 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:43 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 12:51:51 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:00:43 AdminAccount MESSAGE Protection started successfully 14:00:48 AdminAccount MESSAGE IP Protection started successfully 14:02:15 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:05:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:34:27 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:08 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:35:48 (null) IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) 15:08:42 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80) These are all INCOMING, one IP is in Ukraine and the other in Germany. I just need a quick explanation of 2 things: 1. Most of them have my admin account listed (I renamed it for the example above)...is that because there is actually some kind of attack that is attempting to use that account (which means that somehow they figured out the admin account name)...or is it because the IIS service is running under that account and the access is coming from port 80? 2. What does it mean when it has NULL instead of an account listed? Considering that these are all incoming and the server is online right now, I'm thinking that I don't have an active infection, just active attempts. We did have (4) "infected" files in our vBulletin forum earlier today (PHP/Webshell.NAG Trojan), but from what I'm reading of that particular issue, deleting the files and re-uploading from the originals cures it. We've deleted the files that were an issue, uploaded a new file set, but will not be putting the site live again until I'm confident we've taken every precaution to prevent it going forward. Our AntiVirus detected and quarantined the trojan, and subsequent AV and MBAM scans have revealed no further issues. So...am I likely correct in that these are just attempts to access...or is there something above that should cause me to look further? I couldn't find any kind of "how to read the log file" FAQ that explained the columns and answered my questions...and couldn't find anything with search. Sorry if this is already covered somewhere. THANK YOU!!!!!!!!!!!