Re: ISA Server Code Red Log entries

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 7 Aug 2001 07:39:27 -0700

First guess:  because your DNS server handed it out for a reverse-resolution
request.
I don't know how you're configured, but without hitting the web server
itself (and they haven't from that log entry), they can't derive the IP
address that way.
How do you have your DNS configured?

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Gabriel Zabal" <gabriel@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 07, 2001 7:06 AM
Subject: [isalist] Re: ISA Server Code Red Log entries


http://www.ISAserver.org


Yeah, but why appears on the log the IP of the internal web server ?
Gabriel

-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: Martes, 07 de Agosto de 2001 10:35 a.m.
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: ISA Server Code Red Log entries


http://www.ISAserver.org


MessageYour ISA did not pass this request to your web server.  The "10053"
is ISA responding with "I don't understand that destination".    According
to the ISA help. 10053 is "No such device or address exists."

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: Gabriel Zabal
To: [ISAserver.org Discussion List]
Sent: Tuesday, August 07, 2001 5:46 AM
Subject: [isalist] Re: ISA Server Code Red Log entries


http://www.ISAserver.org


Could you explain this log entry ?????
I`m not using IP on the destination set, on the web publishing rules,
and only using Web Publishing rules no server rules.
Why the request pass the ISA and how it decide the webserver to send the
request
I have several Internal web servers

211.97.113.5 anonymous - 2001-08-04 11:02:30 ISA - ExtIpISA
IP_Internal_WebServer 80 771 3818 - http GET
http://IP_Internal_Web_Server/default.ida?XXXXX ....XXXXXX Inet 10053

Gabriel

 -----Mensaje original-----
De: Nicholas Palmer [mailto:NICK@xxxxxxxxxxx]
Enviado el: Lunes, 06 de Agosto de 2001 05:44 p.m.
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: ISA Server Code Red Log entries


http://www.ISAserver.org


The http://168.65.50.21:12345 address the address of IIS on the internal NIC
on the ISA server.  I followed the instructions to get the IIS server on the
ISA server to work by changing the port that IIS listens on the be 12345
instead of 80 and then use Web publishing to publish this web server.  The
server is patched and I've run the codered checker from the eeye web site
and it shows that this site is ok so I guess I'm good for now.

Nick.
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, August 06, 2001 12:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server Code Red Log entries


http://www.ISAserver.org


I personally advise against using IPs in destination sets, but I've also
heard many valid arguments for doing exactly that.  The only thing the "200"
means is that IS let the request through.
One point to observe is that the request went to your web server at port
12345 (http://168.65.50.21:12345), so unless you're previously hacked, or
you've since patched and rebooted, your web server probably failed to
respond at all.

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message -----
From: Nicholas Palmer
To: [ISAserver.org Discussion List]
Sent: Monday, August 06, 2001 12:32
Subject: [isalist] ISA Server Code Red Log entries


http://www.ISAserver.org


I've been following the messages here on the latest code red worm and I've
seen several of the entries in my log files (WEBEX.....LOG)
WARNING : Log entries with dangerous links :
WARNING : Log entries with dangerous links :


61.221.240.50   anonymous       -       2001-08-04      14:56:07
GATEWAY -       www.worm.com    -       -       2323    4039    -       -
GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      -       12202
And ...
24.1.178.131    anonymous       -       2001-08-04      15:09:34
GATEWAY -       209.151.234.200 168.65.50.21    12345   1933    3818    171
http    GET
http://168.65.50.21:12345/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX  Inet    200


My understanding of the first one is that the 12202 at the ends means that
ISA blocked it.  But it's the other entry, with the Inet 200 at the end that
I'm concerned about.  Doesn't 200 mean that it was succesful.  I've applied
the patches from MS faithfully, and when I try the Coderedchecker program I
come out OK.  Our IIS Server is on ISA server and I am publishing it with a
destination set that uses the IP address of the external NIC which I read
below could cause a problem.  Will this cause me any problems?
Thanks
Nick.
KCI Computing, Inc.
(nick@xxxxxxxxxxx)


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: