First guess: because your DNS server handed it out for a reverse-resolution request. I don't know how you're configured, but without hitting the web server itself (and they haven't from that log entry), they can't derive the IP address that way. How do you have your DNS configured? Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Gabriel Zabal" <gabriel@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 07, 2001 7:06 AM Subject: [isalist] Re: ISA Server Code Red Log entries http://www.ISAserver.org Yeah, but why appears on the log the IP of the internal web server ? Gabriel -----Mensaje original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviado el: Martes, 07 de Agosto de 2001 10:35 a.m. Para: [ISAserver.org Discussion List] Asunto: [isalist] Re: ISA Server Code Red Log entries http://www.ISAserver.org MessageYour ISA did not pass this request to your web server. The "10053" is ISA responding with "I don't understand that destination". According to the ISA help. 10053 is "No such device or address exists." Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Gabriel Zabal To: [ISAserver.org Discussion List] Sent: Tuesday, August 07, 2001 5:46 AM Subject: [isalist] Re: ISA Server Code Red Log entries http://www.ISAserver.org Could you explain this log entry ????? I`m not using IP on the destination set, on the web publishing rules, and only using Web Publishing rules no server rules. Why the request pass the ISA and how it decide the webserver to send the request I have several Internal web servers 211.97.113.5 anonymous - 2001-08-04 11:02:30 ISA - ExtIpISA IP_Internal_WebServer 80 771 3818 - http GET http://IP_Internal_Web_Server/default.ida?XXXXX ....XXXXXX Inet 10053 Gabriel -----Mensaje original----- De: Nicholas Palmer [mailto:NICK@xxxxxxxxxxx] Enviado el: Lunes, 06 de Agosto de 2001 05:44 p.m. Para: [ISAserver.org Discussion List] Asunto: [isalist] Re: ISA Server Code Red Log entries http://www.ISAserver.org The http://168.65.50.21:12345 address the address of IIS on the internal NIC on the ISA server. I followed the instructions to get the IIS server on the ISA server to work by changing the port that IIS listens on the be 12345 instead of 80 and then use Web publishing to publish this web server. The server is patched and I've run the codered checker from the eeye web site and it shows that this site is ok so I guess I'm good for now. Nick. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, August 06, 2001 12:58 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server Code Red Log entries http://www.ISAserver.org I personally advise against using IPs in destination sets, but I've also heard many valid arguments for doing exactly that. The only thing the "200" means is that IS let the request through. One point to observe is that the request went to your web server at port 12345 (http://168.65.50.21:12345), so unless you're previously hacked, or you've since patched and rebooted, your web server probably failed to respond at all. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Nicholas Palmer To: [ISAserver.org Discussion List] Sent: Monday, August 06, 2001 12:32 Subject: [isalist] ISA Server Code Red Log entries http://www.ISAserver.org I've been following the messages here on the latest code red worm and I've seen several of the entries in my log files (WEBEX.....LOG) WARNING : Log entries with dangerous links : WARNING : Log entries with dangerous links : 61.221.240.50 anonymous - 2001-08-04 14:56:07 GATEWAY - www.worm.com - - 2323 4039 - - GET http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a - 12202 And ... 24.1.178.131 anonymous - 2001-08-04 15:09:34 GATEWAY - 209.151.234.200 168.65.50.21 12345 1933 3818 171 http GET http://168.65.50.21:12345/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX Inet 200 My understanding of the first one is that the 12202 at the ends means that ISA blocked it. But it's the other entry, with the Inet 200 at the end that I'm concerned about. Doesn't 200 mean that it was succesful. I've applied the patches from MS faithfully, and when I try the Coderedchecker program I come out OK. Our IIS Server is on ISA server and I am publishing it with a destination set that uses the IP address of the external NIC which I read below could cause a problem. Will this cause me any problems? Thanks Nick. KCI Computing, Inc. (nick@xxxxxxxxxxx) ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: nick@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gabriel@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gabriel@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')