RE: Possible Virus with ISA

  • From: "cismic" <cismic@xxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 23 Aug 2001 00:09:55 -0700

Tom,

My front ISA server is a firewall only server. Does it still maintain a
cache?  It is like looking at a needle in a haystack! When I accessed
the site from my internal network, I was still redirected to the fake
site.

Interesting thing to note.  My sites were offline for 2 1/2 weeks while
I read and worked with my site planning.  The the first time I brought
them up this redirection happened.

Thank you for taking the time to respond!

Joseph


-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 22, 2001 8:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Possible Virus with ISA

http://www.ISAserver.org


Hi Joseph,

Looks like the Cache was corrupt or received a bad referral. If its
fixed now, I'd just watch it and see if it happens again.

Pretty interesting stuff, though.

HTH,
Tom
www.isaserver.org/shinder


Thomas W Shinder, M.D., MCSE, MCT

-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Wednesday, August 22, 2001 10:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Possible Virus with ISA


http://www.ISAserver.org


Hello,
 
Dose anyone know about the following possible virus?  I'm not receiving
any replies I guess I'll get "PSS" from Microsoft involved and then
share what I find with the group.
 
Tonight I was finally able to have my DNS appear behind my fire wall and
publish web sites. Thanks to all my really dumb sounding questions
And all the great answers I received form everyone!  Once I had the
appropriate settings in DNS and created my server publishing rule for
DNS
All was well.  I tried a couple of my sites and it was great seeing them
appear from a separate line dialing out to another ISP.
 
Then I tried to go to my http://www.cismic.com site and the following
was happening!
I was not able to access this site since it was being redirected to
212.227.118.93!!!! Not even my site identification by far.
 
I looked at my web publishing rule CISMIC and it showed appropriate
internal web site address and yet this log entry shows
Something completely different.  Where my internal site should appear
you can see 212.227.118.93.  The 304 code tells me that
It was being redirected.  I deleted the web publishing rule and then
tried to access the site and I received a 403 message which is 
What I expected.  I rebooted my ISA machine and added another web
publishing rule going to the same destination set and this time renamed
the rule
www.cismic.com and the site worked.
 
Does anyone know how this type of redirection could have happened????
Please share with me any ideas that you may have! Now how can I really
tighten down the front ISA server firewall?
 
Thank you in advanced, I'm off to sleep for awhile but will be looking
for some answers and solutions later in the day.
 
Joseph
 
 
63.11.248.173    anonymous       Mozilla/4.0 (compatible; MSIE 5.0;
MSNIA; Windows 98; DigExt)  N          2001-08-20            10:28:47
W3ReverseProxy           LMSISA01         -           www.cismic.com
212.227.118.93  80            491       297       158       http
TCP      GET      http://www.cicmic.com/  -           Inet       304
0x40001002            CISMIC -
63.11.248.173    anonymous       Mozilla/4.0 (compatible; MSIE 5.0;
MSNIA; Windows 98; DigExt)  N          2001-08-20            10:28:47
W3ReverseProxy           LMSISA01         -           www.cismic.com
212.227.118.93  80            260       349       156       http
TCP      GET      http://www.cicmic.com/spicons/baustelle.gif         -
Inet            304       0x40001002       CISMIC -
63.11.248.173    anonymous       Mozilla/4.0 (compatible; MSIE 5.0;
MSNIA; Windows 98; DigExt)  N          2001-08-20            10:28:52
W3ReverseProxy           LMSISA01         -           www.cismic.com
212.227.118.93  80            261       297       158       http
TCP      GET      http://www.cicmic.com/  -           Inet       304
0x40001002            CISMIC -
63.11.248.173    anonymous       Mozilla/4.0 (compatible; MSIE 5.0;
MSNIA; Windows 98; DigExt)  N          2001-08-20            10:28:53
W3ReverseProxy           LMSISA01         -           www.cismic.com
212.227.118.93  80            260       349       156       http
TCP      GET      http://www.cicmic.com/spicons/baustelle.gif         -
Inet            304       0x40001002       CISMIC -
 
Tracert turned up the following; (less some routes of course)
23   230 ms   221 ms   230 ms  kundenserver.de [212.227.118.93]
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: